b"   October 15, 2003\n\n\n\n\nAcquisition\n\nImplementation of Interoperability\nand Information Assurance Policies\nfor Acquisition of Army Systems\n(D-2004-008)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax\n  (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nC4I                   Command, Control, Communications, Computers, and Intelligence\nCRD                   Capstone Requirements Document\nDITSCAP               DoD Information Technology Security Certification Accreditation\n                         Program\nGIG                   Global Information Grid\nIA                    Information Assurance\nJITC                  Joint Interoperability Test Command\nNS                    National Security\nORD                   Operational Requirements Document\nSEP                   System Evaluation Plan\nSER                   System Evaluation Report\nSSAA                  System Security Authorization Agreement\nTEMP                  Test and Evaluation Master Plan\nTRADOC                Army Training and Doctrine Command\n\x0c\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2004-008                                                   October 15, 2003\n   (Project No. D2002AE-0187)\n\n            Implementation of Interoperability and Information\n            Assurance Policies for Acquisition of Army Systems\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Civil Service and military managers, who\nare responsible for interoperability and information assurance requirements of Army\nweapon systems, should be interested in this report. This report addresses the importance\nof adhering to DoD and Army interoperability and information assurance policies to\nreduce the risk of Army weapon systems not being interoperable and able to exchange\ninformation in a secure manner with other DoD and allied systems.\n\nBackground. This report is the second in a series of reports on the implementation of\ninteroperability and information assurance policies for the acquisition of DoD weapon\nsystems. This report addresses the implementation of those policies within the Army.\nThe first report addressed the implementation of those policies within the Office of the\nSecretary of Defense and the Defense agencies. Other reports in the series will address\nhow effectively the Navy and the Air Force implement those policies and the impact of\nthe Military Departments\xe2\x80\x99 implementation at the unified combatant commands.\nInteroperability and information assurance policies include the Joint Vision 2020 and the\nGlobal Information Grid capstone requirement document.\n\nResults. The Army did not implement DoD policy that required the Army to define how\neach Army system will interface within the Global Information Grid to achieve joint\ninteroperability, did not adequately address interoperability during the requirements\ngeneration process, and did not consistently conduct information assurance testing for\nArmy acquisition programs. As a result, the Army has not ensured that 33 of 41 systems\nreviewed have the most effective, efficient, and assured information-handling capabilities\navailable, consistent with national military strategy, operational requirements, and best-\nvalue enterprise-level business practices. Issuing and implementing guidance to define\nhow each Army system will interface within the Global Information Grid; identifying\ninteroperability and supportability requirements and developing testable information\nassurance requirements during the requirements generation process; identifying roles and\nresponsibilities of combat developers in the DoD Information Technology Security\nCertification and Accreditation Process; and requiring the system security authorization\nagreement signatories to coordinate with the Army Test and Evaluation Command\nthroughout the acquisition cycle for Army systems subject to the DoD Information\nTechnology Security Certification and Accreditation Process should bring the oversight\nand improvements needed to those issues. (See the Finding section of the report for the\ndetailed recommendations.)\n\nManagement Comments and Audit Response. We received comments from the\nDirector, Operational Test and Evaluation; the Principal Director for Enterprise\nIntegration, Office of the Army Chief Information Officer; and the Acting Deputy for\nSystems Management, Office of the Assistant Secretary of the Army (Acquisition,\n\x0cLogistics, and Technology); however, we did not receive comments from the Army\nDeputy Chief of Staff for Operations and Plans on the draft report. The Director,\nOperational Test and Evaluation agreed with the findings and recommendations. The\nPrincipal Director, responding for the Secretary of the Army and the Army Chief\nInformation Officer, concurred with recommendations to issue and implement guidance\nto comply with Global Information Grid (GIG) policy, to expedite efforts to populate and\nmaintain the Army\xe2\x80\x99s portion of the GIG asset inventory, to provide Army combat\ndevelopers with training on the GIG, to update Army acquisition and materiel\nrequirements policy, and to validate warfighting requirements. However, the Principal\nDirector stated that program managers should not obtain interoperability certifications,\nexcept by exception. The Acting Deputy for Systems Management concurred with the\nrecommendations to update Army acquisition policy concerning testable information\nassurance requirements, roles and responsibilities of combat developers, and test and\nevaluation coordination. Further, although not required, the Principal Director\ncommented on recommendations addressed by the Acting Deputy. (See the Finding\nsection of this report for a discussion of the management comments and the Management\nComments section of the report for the complete text of the comments.)\n\nOffice of the Secretary of Defense guidance requires program managers to obtain\ninteroperability certifications. Therefore, we request that the Principal Director clarify\nhis response on program managers obtaining interoperability certifications on an\nexception basis. Further, we request that the Army Deputy Chief of Staff for Operations\nand Plans provide comments on the recommendation to update Army acquisition and\nmateriel requirements policy. The comments on this report should be provided by\nDecember 15, 2003.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                                i\n\nBackground                                                                       1\n\nObjectives                                                                       3\n\nFindings\n     A. Compliance With the Global Information Grid                              4\n     B. Implementing Interoperability Policies                                  10\n     C. Information Assurance Testing of Army Systems                           20\n\nAppendixes\n     A. Scope and Methodology                                                   33\n            Prior Coverage                                                      34\n     B. Glossary                                                                35\n     C. Global Information Grid                                                 43\n     D. Army Interoperability and Information Assurance Survey Results          45\n     E. Army Programs Surveyed                                                  51\n     F. Information Assurance Requirements Policy                               52\n     G. Report Distribution                                                     54\n\nManagement Comments\n     Director, Operational Test and Evaluation                                  57\n     Secretary of the Army and Army Chief Information Officer                   58\n     Assistant Secretary of the Army (Acquisition, Logistics, and Technology)   65\n\x0cBackground\n    This report is the second in a series of reports on the implementation of\n    interoperability and information assurance (IA) policies within DoD. This report\n    addresses the Army\xe2\x80\x99s implementation of those policies in the:\n\n           \xe2\x80\xa2   interoperability requirements generation process and the oversight\n               thereof;\n\n           \xe2\x80\xa2   inclusion of adequate interoperability key performance parameters in\n               the requirements documents; and\n\n           \xe2\x80\xa2   interoperability certification process for Army systems.\n\n    Appendix B provides a glossary of technical terms used in this report.\n\n    Chairman of the Joint Chiefs of Staff Testimony on the President\xe2\x80\x99s Proposed\n    Defense Program for FYs 2003 to 2007. On February 6, 2002, General Myers,\n    the Chairman of the Joint Chiefs of Staff, testified before the U.S. House of\n    Representatives Committee on Armed Services. General Myers described how\n    Army, Navy, Air Force, and Marine Corps systems shared information to execute\n    combat operations in Afghanistan. He testified that:\n               To fulfill our range of commitments and protect our global interests,\n               we must make the investments necessary to maintain the quality of our\n               force, while preparing for future challenges of the 21st [century.] The\n               best means of accomplishing these goals are to improve our joint\n               war-fighting capability, and transform the armed forces into a 21st\n               century force.\n\n    Quadrennial Defense Review. On September 2001, the Quadrennial Defense\n    Review report stated that achieving the objectives of the defense strategy requires\n    the transformation of the U.S. Armed Forces. Two of the six critical operational\n    goals for the DoD transformational efforts relate to IA and interoperability:\n\n           \xe2\x80\xa2   assuring that, in the face of attack, information systems conduct\n               effective information operations; and\n\n           \xe2\x80\xa2   leveraging information technology and innovative concepts to develop\n               interoperable, joint command, control, communications, computers,\n               intelligence, surveillance, and reconnaissance architectures and\n               capability that includes an adaptable joint operational picture.\n\n    Joint Vision 2020. On May 30, 2000, the Chairman of the Joint Chiefs of Staff\n    issued Joint Vision 2020, which addressed the concept to design, and produce\n    systems with joint warfighting requirements. Joint Vision 2020 describes in broad\n    terms a future joint force whose operational capabilities will be required to\n    succeed across the full range of military operations and accomplish missions in the\n    year 2020 and beyond. Joint Vision 2020 states that interoperability is a mandate\n    for the future joint force especially for communications, common logistics items,\n    and information sharing. Information systems and equipment that enable a\n\n                                             1\n\x0ccommon, relevant operational picture must work from shared networks that can be\naccessed by any appropriately cleared participant. Another tenet of Joint\nVision 2020 is to attain information superiority. Information superiority supports\nproviding the right information to the right people, at the right time, and in the\nright format, resulting in a vastly improved shared understanding of the situation.\n\nGlobal Information Grid. In November 1999, the Joint Chiefs of Staff assigned\nthe Commander, U.S. Joint Forces Command the task of preparing the capstone\nrequirements document (CRD) for the Global Information Grid (GIG). On\nAugust 30, 2001, the Joint Requirements Oversight Council approved the CRD,\nwhich describes the overarching information capability requirements for a globally\ninterconnected, end-to-end, interoperable, and secured system-of-systems that\nwould support the Secretary of Defense, the warfighter, DoD personnel, the\nintelligence community, policy makers, and non-DoD users at all levels involved\nin military and nonmilitary operations. Appendix C discusses the GIG.\n\nArmy Transformation Roadmap. The Army Transformation Roadmap details\nhow the Army plans to progress towards attaining the goals for transformation\noutlined in the FY 2001 Quadrennial Defense Review. To meet three of the DoD\ntransformation pillars of strengthening joint operations, experimenting with\napproaches to warfare and operational capabilities, and leveraging intelligence\nand information technology, the Army will:\n\n       \xe2\x80\xa2   work directly with the Joint Staff, the Joint Forces Command, and the\n           Office of the Secretary of Defense\xe2\x80\x99s Office of Net Assessment;\n\n       \xe2\x80\xa2   evaluate concepts and technology in Joint and Army experimentation\n           by leveraging laboratories, analysis, and experimentation plans\n           supporting the development of the Objective Force; and\n\n       \xe2\x80\xa2   ensure reciprocity with the Joint Force\xe2\x80\x99s entire range of capabilities by\n           embedding full interoperability in its command, control,\n           communications, computers, intelligence (C4I), surveillance, and\n           reconnaissance technology.\n\nThe Army plans to achieve integration by incorporating compatible\ntechnologies and by standardizing interfaces and components across the force\nusing experiments and training. Furthermore, the Army plans to develop a\nmobile and flexible wireless infrastructure for passing secure and non-secure\nvoice, data, and video to ground commanders. This infrastructure constitutes\nthe Army\xe2\x80\x99s contribution to the GIG.\n\nConcepts to Develop a Secure Interoperable Joint C4I, Surveillance, and\nReconnaissance Architecture. The dominant enabler for Army transformation is\nto attain a seamless interoperable joint C4I, surveillance, and reconnaissance\narchitecture within the infrastructure. The Army vision starts with the Army\ncreating processes and designing a Web-based force for individuals or\norganizations to obtain needed knowledge from the infrastructure. During the\nArmy\xe2\x80\x99s transformation, the Web\xe2\x80\x99s use is to sustain and improve interoperability\nacross all Army components, within the Joint team and with multinational partners.\nArmy transformation efforts will produce the Objective Force systems with the\n\n\n                                     2\n\x0c           Future Combat Systems as the centerpiece. The Objective Force will have\n           embedded autonomous, self-synchronizing automated capabilities to support the\n           Joint Force. The Army faces a complex challenge in achieving an effective\n           coexistence between interoperability and IA within the context of many planning\n           documents such as the Joint Vision 2020, the GIG, and the Army Transformation\n           Roadmap.\n\n           Scope of Army Programs Surveyed. We judgmentally selected 41 new or\n           modified Army programs with research and development funding that interface\n           with other systems. We sent a questionnaire to each program office to survey\n           their awareness of interoperability and IA requirements. Appendix D contains the\n           results of the survey. In addition, we requested each program office to provide\n           the following documents:\n\n                    \xe2\x80\xa2    operational requirements document (ORD),1\n                    \xe2\x80\xa2    C4I Support Plans,\n                    \xe2\x80\xa2    test and evaluation master plans (TEMP), and\n                    \xe2\x80\xa2    system security authorization agreements (SSAA).\n\n           Appendix E lists the Army programs surveyed.\n\n           Overall Audit Project. This project is a continuation of work begun on Project\n           No. D2002AE-0009, \xe2\x80\x9cImplementation of Interoperability and Information\n           Assurance Policies for Acquisition of DoD Weapon Systems,\xe2\x80\x9d which addressed\n           whether the Office of the Secretary of Defense and the Defense agencies were\n           effectively implementing DoD interoperability and IA policies. Subsequent\n           audits are planned to address the adequacy of interoperability and information\n           assurance requirements for systems in the Navy and the Air Force, and used by\n           the unified combatant commands.\n\nObjectives\n           The primary audit objective was to evaluate whether the Army was effectively\n           implementing DoD interoperability and IA policies. The audit determined\n           whether the Army was effectively identifying system interoperability and IA\n           requirements in the requirements generation process. See Appendix A for a\n           discussion of the audit scope and methodology, and prior coverage related to the\n           audit objectives.\n\n\n\n\n1\n    DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d May 12, 2003, states that,\n    during system development and demonstration, the capability development document instead of the ORD\n    will have the detailed operational performance parameters. Further, the Instruction states that the\n    capability production document instead of the ORD will have the operational requirements resulting from\n    system development and demonstration and will detail the performance expected of the production\n    system. However, this report uses the term ORD because the programs reviewed during the audit used\n    ORDs.\n\n\n                                                      3\n\x0c                    A. Compliance With the Global\n                       Information Grid\n                    The Army did not implement DoD policy that required the Army to\n                    define how each Army system will interface within the GIG to achieve\n                    joint interoperability. DoD policy was not implemented because the\n                    Secretary of the Army, or his designated representative, did not:\n\n                             \xe2\x80\xa2    issue guidance to comply with the DoD GIG policy;\n\n                             \xe2\x80\xa2    populate and maintain the Army\xe2\x80\x99s portion of the GIG asset\n                                  inventory; and\n                             \xe2\x80\xa2    provide Army program offices and combat developers2 at the\n                                  Army Training and Doctrine Command (TRADOC) with\n                                  training that addresses policy and compliance issues related to\n                                  the GIG.\n\n                    Without a defined policy depicting how each Army system will interface\n                    within the GIG, the Army has not ensured that its systems have the most\n                    effective, efficient, and secure information-handling capabilities\n                    available, consistent with national military strategy, operational\n                    requirements, and best-value enterprise-level business practices.\n\nGlobal Information Grid Policy\n            DoD Directive 8100.1, \xe2\x80\x9cGlobal Information Grid (GIG) Overarching Policy,\xe2\x80\x9d\n            September 19, 2002, and DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense\n            Acquisition System,\xe2\x80\x9d May 12, 2003, provide policy concerning the GIG.\n\n            DoD Directive. DoD Directive 8100.1 establishes policy and assigns\n            responsibilities for GIG configuration management and architecture and applies\n            to the Office of the Secretary of Defense as well as the Military Departments.\n            The Directive states that the DoD Components will plan, resource, acquire, and\n            implement the GIG in accordance with the DoD Directives System 5000 series.\n            The Directive requires GIG assets to be interoperable to meet the requirements of\n            approved requirements documents and to comply with the operational, system,\n            and technical architecture views. Before DoD issued DoD Directive 8100.1, the\n            above requirements were included in DoD Memorandum, \xe2\x80\x9cDoD Chief\n            Information Officer (CIO) Guidance and Policy Memorandum No. 8-8001,\xe2\x80\x9d\n            March 31, 2000.\n\n            DoD Instruction. DoD Instruction 5000.2 requires the DoD Chief Information\n            Officer to lead the development and facilitate the implementation of the GIG\n\n2\n    Army Regulation 71-9 states that the Army Training and Doctrine Command is the Army combat\n    developer, who serves as the user representative for system acquisitions. The combat developer is\n    responsible for development and approval of materiel requirements, as well as, doctrine and organization.\n\n\n                                                       4\n\x0c          Integrated Architecture, which supports all mission area and capability\n          architectures.3 Further, the Instruction requires the Military Departments and\n          the Defense Agencies to participate in the identification of the appropriate\n          technical view consisting of standards that define and clarify the individual\n          systems technology and integration requirements. The Instruction also requires\n          the acquisition of all information technology systems to be consistent with the\n          GIG policies. The combat developer for each system is to document a key\n          performance parameter for interoperability requirements in the ORD.\n\n    Implementing Global Information Grid Policy in ORDs\n          The Army did not implement DoD policy that required the Army to define how\n          each Army system will interface within the GIG to achieve interoperability. DoD\n          policy was not implemented because the Secretary of the Army, or his designated\n          representative, did not provide direction to Army user representatives to\n          implement the DoD GIG policy in the requirements generation process. Because\n          combat developers at TRADOC lacked awareness of their GIG requirements,\n          33 of the 41 Army programs surveyed had ORDs that did not include\n          requirements identifying how the systems would interface within the GIG.\n\n          Combat Developers Awareness of the GIG. Combat developers at the\n          TRADOC were not fully aware of how to implement the GIG requirements. The\n          TRADOC stated that combat developers were adding boilerplate statements for\n          the GIG capstone requirements document and hoping to build software with\n          common specifications, standards, or processes. Interviews with six directorates\n          of combat development established that each combat developer had a different\n          understanding of how to comply with GIG requirements. In addition, TRADOC\n          personnel stated that they did not have a database or tool for tracking ORDs to\n          determine which systems were required to interface within the GIG.\n\n          Complying with GIG Policy. During the requirements definition and\n          development stage, the combat developers are required to link the ORD to the\n          appropriate CRD. The GIG Capstone Requirements Document states that the\n          GIG includes any system, equipment, software, or service that meets one or more\n          of the following criteria:\n\n                   \xe2\x80\xa2   transmits information to, receives information from, routes\n                       information among, or interchanges information among other\n                       equipment, software, and services;\n\n\n3\n The June 2001 and April 2002 versions of DoD Regulation 5000.2-R required the DoD Chief\n Information Officer\xe2\x80\x99s acquisition-related responsibilities to focus on key principles such as the\n operational view of the approved GIG Integrated Architecture and the approved GIG CRD. The review\n was to focus on compliance with GIG-related policies and the approved GIG Integrated Architecture.\n The principal participants at DoD Chief Information Officer reviews include the cognizant program\n executive officer and program manager and Component acquisition executives and chief information\n officers of the Military Departments. Further, the Regulation required that the C4I support plan provide\n a qualitative assessment addressing the GIG integrated architecture and relevant mission area integrated\n architectures.\n\n\n                                                      5\n\x0c           \xe2\x80\xa2   provides retention, organization, visualization, IA, or disposition of\n               data, information, or knowledge received from or transmitted to other\n               equipment, software, and services; or\n\n           \xe2\x80\xa2   processes data or information for use by other equipment, software, or\n               services.\n\n    Further, the GIG Capstone Requirements Document requires that an ORD for\n    new systems and for upcoming legacy systems that are associated with GIG\n    systems, regardless of acquisition category, must comply with the GIG Capstone\n    Requirements Document.\n\n    Applicability of the GIG Capstone Requirements Document. The GIG\n    Capstone Requirements Document applies to the 41 systems surveyed because\n    those systems interoperate with other systems. Consequently, we reviewed the\n    ORDs obtained from the 41 program offices to determine whether the combat\n    developers addressed GIG requirements during the requirements generation\n    process. Although required, combat developers had updated only 24 of the\n    41 ORDs after the GIG Capstone Requirements Document was issued on\n    August 30, 2001. Further, combat developers linked only eight of the updated\n    ORDs to the GIG capstone requirements documents.\n\nGIG Asset Inventory\n    GIG Asset Inventory Policy. DoD Directive 8100.1 requires the DoD\n    Components to populate and maintain their portion of the GIG asset inventory;\n    and acquire or procure, in compliance with the GIG architecture, all leased,\n    owned, operated, or managed GIG systems, services, upgrades, or expansions to\n    existing systems or services.\n\n    Army GIG Asset Inventory. Personnel in the Army Chief Information Office\n    stated that the Army had not compiled an inventory of GIG assets to comply with\n    DoD Directive 8100.1. Although no Army GIG asset inventory existed, we asked\n    the 41 Army program offices surveyed whether they considered their programs to\n    be part of the GIG asset inventory. The program offices responses were as\n    follows:\n\n           \xe2\x80\xa2   17 Army program offices responded that their programs were part of\n               the GIG asset inventory,\n\n           \xe2\x80\xa2   11 Army program offices responded that their programs were not part\n               of the GIG asset inventory, and\n\n           \xe2\x80\xa2   13 Army program offices were not sure whether their programs were\n               part of GIG asset inventory.\n\n    Appendix D contains the complete results of the program offices\xe2\x80\x99 survey.\n\n\n\n\n                                        6\n\x0c            Efforts to Establish a GIG Asset Inventory. The Army Chief Information\n            Officer is defining the Army Joint Technical Architecture.4 Part of that effort is\n            the Army Enterprise Infostructure Transport, which is a three-phased approach\n            that will outline how each Army system will interface within the GIG to achieve\n            joint interoperability.\n\n                    \xe2\x80\xa2    Phase I will stand up enterprise network transport, which will\n                         document, model, and analyze the network topology and primary\n                         interfaces of Army networks;\n\n                    \xe2\x80\xa2    Phase II will integrate and optimize subnetworks and develop a\n                         migration strategy to integrate the Army networks into a single\n                         network; and\n\n                    \xe2\x80\xa2    Phase III will establish enterprise storage and core common services\n                         that will consolidate network services, application hosting, data\n                         storage, and network management.\n\n            After the Army Chief Information Office establishes the Army Enterprise\n            Infostructure-Transport, it will compile the Army GIG asset inventory.\n\nGIG Training\n            The Army Director of Information Operations Space and Networks, Office of the\n            Chief Information Officer agreed that the majority of combat developers did not\n            understand how their systems interfaced within the GIG. Because the GIG is a\n            major part of interoperability, awareness of the GIG is essential for the Services\n            to achieve total joint interoperability as outlined in Joint Vision 2020. To correct\n            this knowledge deficiency, the Director believed that training should be provided\n            to combat developers and program managers on how the GIG works and how\n            their respective systems interface within the GIG.\n\n            Although GIG training for the combat developers is needed, Army-wide training\n            has not been provided. Personnel from the Army Chief Information Office stated\n            that training the combat developers and program managers before the Army\n            defines how each Army system will interface within the GIG and coordinates\n            policies and procedures with the GIG Capstone Requirements Document would\n            be premature. Further, the personnel stated that until the Army establishes its\n            Joint Technical Architecture, the combat developers may not be able to fully\n            comply with GIG requirements and provide all needed training.\n\n\n\n\n4\n    The Joint Technical Architecture is a common set of mandatory information technology standards, which\n    are primarily interface standards and guidelines to be used by all emerging systems and systems upgrades,\n    including advanced concept technology demonstrations.\n\n\n                                                       7\n\x0cEffect on Implementing the Global Information Grid Policy\n     Without a defined policy depicting how each Army system will interface within\n     the GIG, the Army cannot ensure that its systems have the most effective,\n     efficient, and assured information-handling capabilities available, consistent with\n     national military strategy, operational requirements, and best-value enterprise-\n     level business practices.\n\nManagement Comments on the Finding\n     Although not required to comment, the Director, Operational Test and Evaluation\n     agreed with the finding. For the complete text of the Director\xe2\x80\x99s comments, see\n     the Management Comments section of the report.\n\nRecommendations and Management Comments\n     A. We recommend that the Secretary of the Army:\n\n            1. Issue and implement guidance to comply with DoD\n     Directive 8100.1, \xe2\x80\x9cGlobal Information Grid (GIG) Overarching Policy,\xe2\x80\x9d\n     September 19, 2002, which requires the Army to define how each Army\n     system will interface within the Global Information Grid to achieve joint\n     interoperability.\n\n     Principal Director for Enterprise Integration, Office of the Army Chief\n     Information Officer Comments. The Principal Director, responding for the\n     Secretary of the Army, concurred, stating that the Army is revising Army\n     Regulation 25-1, \xe2\x80\x9cArmy Information Management,\xe2\x80\x9d May 31, 2002, and Army\n     Regulation 70-1, \xe2\x80\x9cArmy Acquisition Policy,\xe2\x80\x9d December 15, 1997, to include the\n     requirements of DoD Directive 8100.1. Further, he stated that any requirements\n     not adequately addressed will be incorporated into the next revision of those\n     regulations. The Principal Director also stated that the Army published its Army\n     Knowledge Implementation Plan in September 2003 and the next revision of the\n     plan will address how Army systems will interface with the GIG. For the\n     complete text of the Principal Director\xe2\x80\x99s comments, see the Management\n     Comments section of the report.\n\n     Director, Operational Test and Evaluation Comments. Although not required\n     to comment, the Director agreed with the recommendation. For the complete text\n     of the Director\xe2\x80\x99s comments, see the Management Comments section of the report.\n\n\n\n\n                                          8\n\x0c       2. Expedite efforts to populate and maintain the Army\xe2\x80\x99s portion of\nthe Global Information Grid asset inventory in accordance with DoD\nDirective 8100.1, \xe2\x80\x9cGlobal Information Grid (GIG) Overarching Policy,\xe2\x80\x9d\nSeptember 19, 2002.\n\nPrincipal Director for Enterprise Integration Comments. The Principal\nDirector concurred, stating that the Army expects to complete documenting its\ninformation technology assets by the end of the first quarter of FY 2004. Further,\nhe stated that the Army will develop an enterprise management strategy to\noversee those information technology assets by the end of the second quarter of\nFY 2004 and expects to implement the strategy in the first quarter of FY 2005.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation.\n\n       3. Provide Army combat developers at the Army Training and\nDoctrine Command with training on how to implement the requirements of\nthe Global Information Grid.\n\nPrincipal Director for Enterprise Integration Comments. The Principal\nDirector concurred, stating that, using the strategy outlined in the Army\nKnowledge Management Goals, the Army will provide guidance to the Army\nTraining and Doctrine Command on how to develop training to implement GIG\nrequirements by the end of the fourth quarter of FY 2004.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation.\n\n\n\n\n                                    9\n\x0c           B. Implementing Interoperability Policies\n           The Army requirements community did not adequately address\n           interoperability in the requirements generation process for use in the\n           acquisition process. Interoperability was not adequately addressed\n           because the Army Deputy Chief of Staff for Operations and Plans, in\n           coordination with Army Chief Information Office, did not update Army\n           regulations pertaining to system acquisitions to implement DoD and Joint\n           Staff interoperability requirements for:\n\n                  \xe2\x80\xa2   combat developers to identify interoperability requirements in\n                      requirements documents and to update the requirements\n                      throughout the life of the systems, as necessary;\n\n                  \xe2\x80\xa2   program managers to use C4I support plans to document\n                      interoperability and supportability requirements; and\n\n                  \xe2\x80\xa2   program managers to obtain Director, Command, Control,\n                      Communications, and Computer Systems Directorate (J-6) (the\n                      Joint Staff J-6) validation of system warfighter interoperability\n                      requirements.\n\n           Without updating Army regulations to effectively implement DoD\n           interoperability policy, the Army risks developing systems that operate\n           independently of other Army and DoD systems and not realizing the\n           full benefits of interoperable DoD systems that conform to the GIG\n           and satisfy the needs of the warfighter as outlined in Joint\n           Vision 2020.\n\nInteroperability Requirements\n    The Army did not consistently include interoperability requirements in its\n    requirements documents because the Army Deputy Chief of Staff for Operations\n    and Plans, in coordination with the Army Chief Information Officer, had not\n    updated its implementing regulations for interoperability. As a result, combat\n    developers for only 15 of the 41 Army program offices surveyed had included\n    testable interoperability key performance parameters and information exchange\n    requirements in ORDs.\n\n    DoD Interoperability Requirements Policy. DoD Directive 4630.5,\n    \xe2\x80\x9cInteroperability and Supportability of Information Technology (IT) and National\n    Security Systems (NSS)\xe2\x80\x9d January 11, 2002, as implemented in DoD\n    Instruction 4630.8, \xe2\x80\x9cProcedures for Interoperability and Supportability of\n    Information Technology (IT) and National Security Systems (NSS),\xe2\x80\x9d May 2,\n    2002, require the DoD Components to identify interoperability and supportability\n    requirements for information technology and National Security (NS) systems\n    during the acquisition process and update as necessary throughout the system\xe2\x80\x99s\n    life. Specifically, DoD policy requires the DoD Components to define and\n    develop information exchange requirements and interoperability key performance\n\n\n                                       10\n\x0c               parameters. The information exchange requirements characterize the information\n               exchanges to be performed by the proposed system. The interoperability key\n               performance parameter defines the level of interoperability for the proposed\n               system and will be derived from the information exchange requirements. The\n               interoperability key performance parameter is to be measurable and testable.5\n\n               Review of Operational Requirement Documents. Based on our review of the\n               ORDs for the 41 Army programs surveyed, we determined whether the combat\n               developers included information exchange requirements and associated\n               interoperability key performance parameters that could be measured, tested, and\n               evaluated. The following table shows the number of Army programs surveyed\n               that did not have information exchange requirements and associated\n               interoperability key performance parameters.\n\n                                          Interoperability Requirements Not Established in ORDs.\n\n                                     45\n                                     40\n           Number of ORDs Reviewed\n\n\n\n\n                                     35\n                                     30\n                                     25\n                                     20\n                                     15\n                                     10             23\n                                                                                 17\n                                      5\n                                      0\n                                            Information Exchange           Key Performance\n                                                 Requirements                 Parameters\n\n               In addition, of the 24 ORDs that included interoperability key performance\n               parameters, 16 ORDs had key performance parameters that could be measured,\n               tested, and evaluated.\n\n               According to Joint Staff policy memorandum, \xe2\x80\x9cPolicy for Updating Operational\n               Requirements Documents to Incorporate the Interoperability Key Performance\n               Parameter and Cost,\xe2\x80\x9d November 16, 1999, all ORDs supporting a system\n               development and demonstration or production and deployment milestone\n\n\n5\n    Measurable and testable key performance parameters are parameters that testers can use to measure, test,\n    and evaluate the obtainment of system objectives and thresholds.\n\n\n\n                                                                   11\n\x0c            decision6 after March 1, 2001, will be updated to include information exchange\n            requirements and interoperability key performance parameters.\n\n            Updated Army Interoperability Requirements. The Army did not consistently\n            include interoperability requirements in its requirements documents because the\n            applicable Army ORD preparation guidance was not up-to-date. Army\n            Regulation 71-9, \xe2\x80\x9cMateriel Requirements,\xe2\x80\x9d April 30, 1997, provides Army policy\n            and procedures for materiel warfighting requirements and assigns the Army\n            Deputy Chief of Staff for Operations and Plans with the responsibility for\n            updating and maintaining the Regulation.\n\n                    On February 21, 2000, the Army Deputy Chief of Staff for Operations and\n            Plans issued a memorandum, \xe2\x80\x9cPolicy for Updating Operational Requirements\n            Documents (ORDs) to Incorporate Interoperability Key Performance Parameters\n            (KPPs) and Costs,\xe2\x80\x9d which states that all requirements documents currently in the\n            approval process, regardless of acquisition category, must include interoperability\n            key performance parameters as required in the previous version of Chairman of\n            the Joint Chiefs of Staff Instruction 3170.01B, \xe2\x80\x9cRequirements Generation\n            System,\xe2\x80\x9d April 15, 2001.7 The requirements documents that are receiving\n            funding must be updated by October 1, 2000.\n\n                    On April 12, 2001, the Army Deputy Chief of Staff for Operations and\n            Plans issued a memorandum, \xe2\x80\x9cApproval of Army Warfighting Requirements\xe2\x80\x93\n            Interim Implementation Guidance,\xe2\x80\x9d that serves as interim guidance pending an\n            update to Army Regulation 71-9, which was last updated April 30, 1997. The\n            interim guidance applies to all requirements documents regardless of acquisition\n            category. However, the Regulation and the interim guidance do not require the\n            Army combat developers to identify interoperability and supportability\n            requirements for information technology and NS systems during the requirements\n            generation process and to update the requirements as necessary throughout the\n            system\xe2\x80\x99s life, in accordance with DoD Policy.\n\n            Although the Army Deputy Chief of Staff for Operations and Plans issued a few\n            policy memorandums, the Army Deputy Chief of Staff for Operations and Plans\n            has not updated Army Regulation 71-9 since 1997. The Army Deputy Chief of\n            Staff for Operations and Plans needs to update the regulation to incorporate the\n            interoperability requirements. If combat developers do not identify\n            interoperability key performance parameters in the ORDs, program managers\n            cannot incorporate those interoperability requirements into the C4I support plans\n            and the TEMPs.\n\n\n\n\n6\n    As of the date of the policy memorandum, the system development and demonstration milestone and\n    production and deployment milestone were referred to as Milestone II and Milestone III, respectively.\n7\n    Subsequent to the issuance of the draft audit report, the Joint Staff issued Chairman of the Joint Chiefs of\n    Staff Instruction 3170.01C, \xe2\x80\x9cJoint Capabilities Integration and Development System,\xe2\x80\x9d June 24, 2003,\n    which canceled Chairman of the Joint Chiefs of Staff Instruction 3170.01B.\n\n\n                                                        12\n\x0cC4I Support Plans\n           DoD Instruction 4630.8 requires program managers to prepare a C4I support plan\n           to document interoperability and supportability requirements. The C4I support\n           plan is a mechanism to identify and resolve implementations issues related to\n           C4I surveillance and reconnaissance infrastructure and interface requirements.\n           DoD Instruction 4630.8 also requires program managers to:\n\n                    \xe2\x80\xa2    prepare the initial C4I support plan before the system development and\n                         demonstration milestone decision and\n\n                    \xe2\x80\xa2    maintain the C4I support plans throughout the acquisition life cycle.\n\n           At each milestone review, C4I support plans are to contain progressively more\n           detailed and specific time-phased descriptions of the types of information needed:\n           operational, systems, and technical architecture views; security, connectivity, and\n           interoperability issues; and infrastructure and support shortfalls.\n\n           Review of C4I Support Plans. Based on our review of the 41 Army programs\n           surveyed, we determined that Army program managers were not, for the most\n           part, preparing C4I support plans. Specifically, we requested C4I support plans\n           from the 41 Army program offices.8 Thirty-seven of the 41 Army programs were\n           past the system development and demonstration milestone decision. As a result,\n           the program managers for those 37 programs should have prepared a C4I support\n           plan. However, program managers for only 13 of the 37 programs had a\n           C4I support plan.\n\n           C4I Support Plan Requirement. Although DoD policy states that program\n           managers for all acquisition systems past the system development and\n           demonstration milestone decision should have a C4I support plan, the 24 other\n           Army program offices stated that they did not prepare a C4I support plan because:\n\n                    \xe2\x80\xa2    the program had entered full-rate production before the C4I support\n                         plan became a requirement (11 program offices);\n\n                    \xe2\x80\xa2    the program was part of another program (1 program office);\n\n                    \xe2\x80\xa2    the cost to prepare a C4I support plan was not justifiable (1 program\n                         office);\n\n                    \xe2\x80\xa2    the program did not interface with other programs (3 program offices);\n                         and\n\n                    \xe2\x80\xa2    the program office planned to prepare or was beginning to prepare a\n                         C4I support plan (8 program offices).\n\n8\n    We requested C4I support plans by a data request and followed up with phone calls to the program offices\n    to verify that C4I support plans did not exist. In addition, we contacted the Office of the Army Chief\n    Information Officer to obtain C4I support plans.\n\n\n\n                                                      13\n\x0c           In addition, the Army Deputy Chief of Staff for Operations and Plans, in\n           coordination with Army Chief Information Office, had not updated Army\n           acquisition regulations to conform with DoD policy. Specifically, Army\n           Regulation 70-1, \xe2\x80\x9cArmy Acquisition Policy,\xe2\x80\x9d December 15, 1997, which\n           implements the Army\xe2\x80\x99s acquisition policy for all Army acquisition programs,\n           and Army Regulation 71-9 do not require Army program managers for all\n           acquisition programs to prepare a C4I support plan to document\n           interoperability and supportability requirements, as required by DoD\n           Instruction 4630.8. Accordingly, Army program managers were not benefiting\n           from preparing C4I support plans to describe system dependencies and\n           interfaces in sufficient detail to enable them and operational testers to test\n           interoperability key performance parameters derived from information\n           exchange requirements.\n\nInteroperability Certification Process\n           Interoperability is essential for seamless and effective operations of joint,\n           combined, and coalition forces. To implement, DoD established an\n           interoperability certification process to ensure that joint information technology\n           and NS systems conform to DoD policy, doctrine and interoperability standards.\n           However, the Army Deputy Chief of Staff for Operations and Plans, in\n           coordination with Army Chief Information Officer, did not implement\n           procedures for the interoperability certification process. As a result, Army\n           program managers did not always obtain the required interoperability\n           requirements and supportability certifications and validations from the Joint\n           Staff J-6. The Joint Staff J-6 certification and validation process consists of the\n           following three forms of capability confirmation:\n\n                    \xe2\x80\xa2   interoperability requirements certification,\n\n                    \xe2\x80\xa2   supportability certification, and\n\n                    \xe2\x80\xa2   interoperability system validation.\n\n           Joint Staff J-6 Interoperability Requirements Certification. Chairman\n           of the Joint Chiefs of Staff Instruction 6212.01B, \xe2\x80\x9cInteroperability and\n           Supportability of National Security Systems, and Information Technology\n           Systems,\xe2\x80\x9d May 8, 2000,9 requires the Joint Staff J-6 to certify\n           interoperability requirements in the ORDs before milestone decisions of\n           system acquisition programs. The Joint Staff J-6 certifies mission need\n           statements, CRDs, and ORDs, regardless of acquisition category level, for\n           conformance with joint information technology and NS system policy and\n           doctrine and interoperability standards. As part of the review process, the\n           Joint Staff J-6 requests assessments from the Military Departments, the\n           Defense Information Systems Agency, and other DoD agencies through the\n           Joint Staff J-6 assessment tool.\n9\n    According to the Joint Staff, the Chairman of the Joint Chiefs of Staff Instruction 6212.01B,\n    \xe2\x80\x9cInteroperability and Supportability of National Security Systems, and Information Technology,\xe2\x80\x9d May 8,\n    2000, is being updated for issuance in November 2003.\n\n\n                                                     14\n\x0c        Results of Interoperability Requirements Certification. We reviewed the\n        41 Army programs surveyed to determine whether combat developers had the\n        Joint Staff J-6 certify the interoperability requirements in their ORDs. Of the\n        41 programs, 11 combat developers had obtained the required interoperability\n        requirements certification and 7 combat developers had entered their ORDs\n        into the interoperability requirements certification process within the last year.\n        Of the remaining 23 programs reviewed:\n\n                \xe2\x80\xa2   13 combat developers had their ORDs in the interoperability\n                    requirements certification process for more than 1 year without any\n                    advancement, and\n\n                \xe2\x80\xa2   10 combat developers did not submit their ORDs to the Joint Staff J-6\n                    for review in the interoperability requirements certification process.\n\n        According to the Office of the Army Deputy Chief of Staff for Operations and\n        Plans, 22 of the 23 programs were not being formally updated in preparation for a\n        milestone decision review, so the ORDs did not need to be submitted to the Joint\n        Staff J-6 for the interoperability requirements certification process.\n\n        However, 9 of the 23 programs had milestone decisions since the issuance of\n        Joint Staff policy or have upcoming milestone decisions within the next year;\n        therefore, we determined that the ORDs should have been updated or should be\n        updated to include information exchange requirements and an interoperability key\n        performance parameters. Further, the ORDs should have been subjected or\n        should be subjected to interoperability requirements certification. In addition, 19\n        of the 23 programs were budgeted for funding in FY 2003 and, according to the\n        February 21, 2000, Army Deputy Chief of Staff for Operations and Plans policy\n        memorandum, requirements documents should be updated and interoperability\n        certification obtained.\n\n        Joint Staff J-6 Supportability Certification. Chairman of the Joint Chiefs of\n        Staff Instruction 6212.01B requires the Joint Staff J-6 to certify to the Assistant\n        Secretary of Defense (Networks and Information Integration)10 that C4I\n        support plans, regardless of acquisition category, adequately address\n        information technology and NS system infrastructure requirements, the\n        availability of bandwidth and spectrum support, funding, and personnel, and\n        also identify dependencies and interface requirements among systems. As part\n        of the review process, the Joint Staff J-6 requests supportability assessments\n        from the Defense Information Systems Agency and other DoD agencies\n        through the Joint Staff J-6 assessment tool. Further, DoD Instruction 4630.8\n        requires that the Joint Staff J-6 conduct a supportability certification of\n        C4I support plans before milestone decisions for submission to the Assistant\n        Secretary of Defense (Networks and Information Integration) as part of the\n        C4I support plan review process.\n\n\n\n\n10\n  Formerly named the Assistant Secretary of Defense (Command, Control, Communications, and\n Intelligence).\n\n\n                                                15\n\x0cResults of Joint Staff J-6 Supportability Certification. Of the 17 C4I support\nplans obtained for the 41 Army programs surveyed, as discussed earlier:\n\n       \xe2\x80\xa2   3 program managers had received the required supportability\n           certification of their C4I support plans from the Joint Staff J-6 ,\n\n       \xe2\x80\xa2   2 program managers had their C4I support plans in the\n           supportability certification process for more than 1 year without any\n           advancement, and\n\n       \xe2\x80\xa2   12 program managers did not submit their C4I support plans to the\n           Joint Staff J-6 for review in the supportability certification process.\n\nEven though Chairman of the Joint Chiefs of Staff Instruction 6212.01B requires\nthe Joint Staff J-6 to certify C4I support plans, regardless of acquisition category,\npersonnel in the Army Chief Information Office were of the opinion that only\nAcquisition Category I programs are required to have their C4I support plans\ncertified by the Joint Staff J-6.\n\nJoint Staff J-6 Interoperability System Validation. Chairman of the Joint\nChiefs of Staff Instruction 6212.01B states that the Joint Staff J-6 validation is\nintended to provide total life-cycle oversight of warfighter interoperability\nrequirements, which occurs after the Joint Staff J-6 interoperability requirements\nand supportability certifications. As part of the system validation process, the\nprogram managers are required to submit their systems to the Joint\nInteroperability Test Command (JITC) for interoperability testing and\ncertification. Further, the Instruction states that the Joint Staff J-6 is to validate\nthe JITC interoperability system test results 15 days after the JITC certification.\nAccording to the Instruction, Military Departments and Defense agencies are\nrequired to have those systems undergo interoperability certification testing\nbefore the full-rate production decision approval for all new or modified\ninformation technology and NS systems.\n\nResults of Interoperability System Validation. Of the 41 programs surveyed,\n11 programs had a production and fielding milestone decision since May 2000,\nwhen the Chairman of the Joint Chiefs of Staff Instruction 6212.01B was issued.\nHowever, none of the program managers had obtained the Joint Staff J-6\ninteroperability validation for their systems as required by the Joint Staff policy\ndiscussed above.\n\nFurthermore, eight program managers requested JITC to perform interoperability\ntesting before obtaining Joint Staff J-6 certification of the interoperability\nrequirements contained in the ORD, as required by Joint Staff policy. As a result,\nJITC tested four of the eight programs without Joint Staff J-6 interoperability\nrequirements certifications and certified three of those programs. Thus,\nfour programs were prematurely tested before the Joint Staff J-6 certified the\ninteroperability requirements, coordinated the requirements with the other\nMilitary Departments and Defense agencies, or ensured that the interoperability\nrequirements complied with joint policy, doctrine, and interoperability standards.\n\n\n\n\n                                      16\n\x0c     Need to Complete the Interoperability Certification Process. Army program\n     managers need to obtain the required interoperability requirements certification\n     of ORDs, the supportability certification of C4I support plans, and the\n     interoperability system validation from the Joint Staff J-6 to ensure that the\n     warfighter has effective, integrated systems and networks that meet mission\n     needs.\n\nEffects of Army Implementation of DoD Interoperability\n  Policy\n     Without updating Army regulations to effectively implement DoD\n     interoperability policy, the Army risks developing systems that operate\n     independently of other Army and DoD systems and not realizing the full benefits\n     of interoperable DoD systems that conform to the GIG and satisfy the needs of\n     the warfighter as outlined in Joint Vision 2020.\n\nManagement Comments on the Finding\n     Although not required to comment, the Director, Operational Test and Evaluation\n     agreed with the finding. For the complete text of the Director\xe2\x80\x99s comments, see\n     the Management Comments section of the report.\n\nRecommendations, Management Comments, and Audit\n  Response\n     B. We recommend that the Army Deputy Chief of Staff for Operations and\n     Plans, in coordination with the Army Chief Information Officer, update\n     Army Regulation 70-1, \xe2\x80\x9cArmy Acquisition Policy,\xe2\x80\x9d December 15, 1997, and\n     Regulation 71-9, \xe2\x80\x9cMateriel Requirements,\xe2\x80\x9d April 30, 1997, to require that:\n\n            1. Combat developers identify interoperability and supportability\n     requirements in requirements documents and update the requirements\n     throughout the life of the systems, as necessary, in accordance with DoD\n     Directive 4630.5, \xe2\x80\x9cInteroperability and Supportability of Information\n     Technology (IT) and National Security Systems (NSS)\xe2\x80\x9d January 11, 2002.\n\n           2. Program managers use command, control, communications,\n     computers, and intelligence support plans to document interoperability and\n     supportability requirements in accordance with DoD Instruction 4630.8,\n     \xe2\x80\x9cProcedures for Interoperability and Supportability of Information\n     Technology (IT) and National Security Systems (NSS),\xe2\x80\x9d May 2, 2002.\n\n            3. Program managers obtain the Joint Staff J-6 certifications for\n     interoperability in accordance with Chairman of the Joint Chiefs of Staff\n     Instruction 6212.01B, \xe2\x80\x9cInteroperability and Supportability of National\n     Security Systems, and Information Technology Systems,\xe2\x80\x9d May 8, 2000.\n\n\n                                         17\n\x0cArmy Deputy Chief of Staff for Operations and Plans Comments. The\nDeputy Chief of Staff did not provide comments on the draft report. We request\nthat the Deputy Chief of Staff provide comments in response to the final report.\n\nPrincipal Director for Enterprise Integrations Comments. The Principal\nDirector, responding for the Army Chief Information Officer, concurred, stating\nthat the Assistant Secretary of the Army (Acquisition, Logistics, and Technology)\nand the Army Deputy Chief of Staff for Operations and Plans have begun to\nupdate Army Regulations 70-1 and 71-9 and expect to publish the updates by\nearly FY 2004 and mid-FY 2004, respectively. He stated that the\nrecommendations will be incorporated into the updates; however, he noted that\nthe program managers should not be obtaining interoperability certifications, as\naddressed in Recommendation B.3., unless by exception.\n\nThe Principal Director also stated that interoperability certifications should be\nconducted when the requirements or capabilities documentation is provided to the\nJoint Staff for review and should include certification by the Joint Staff J-6, in\naccordance with Chairman of the Joint Chiefs of Staff Instruction 6212.01B,\nwhich will be replaced by Chairman of the Joint Chiefs of Staff\nInstruction 6212.01C. In addition, he stated that the interoperability certification,\nas described, is part of the new Chairman of the Joint Chiefs of Staff\nInstruction 3170.01C, \xe2\x80\x9cJoint Capabilities Integration and Development System,\xe2\x80\x9d\nJune 24, 2003, and was a requirement in Chairman of the Joint Chiefs of Staff\nInstruction 3170.01B. For the complete text of the Principal Director\xe2\x80\x99s\ncomments, see the Management Comments section of the report.\n\nAudit Response. Except for his qualification on obtaining interoperability\ncertifications, the Principal Director\xe2\x80\x99s comments are responsive. Chairman of the\nJoint Chiefs of Staff Instruction 3170.01C and Chairman of the Joint Chiefs of\nStaff Instruction 6212.01B require program managers to obtain interoperability\ncertifications. Chairman of the Joint Chiefs of Staff Instruction 3170.01C states\nthat, for capability development documents and capability production documents\n(previously referred to as ORDs), interoperability and supportability certifications\nfor National Security (NS) and information technology systems will be performed\nin accordance with Chairman of the Joint Chiefs of Staff Instruction 6212.01B,\nDoD Directive 4630.5, and DoD Instruction 4630.8.\n        Chairman of the Joint Chiefs of Staff Instruction 6212.01B. Chairman\nof the Joint Chiefs of Staff Instruction 6212.01B requires the Joint Staff J-6 to\ncertify all NS and information technology systems as interoperable with other NS\nand information technology systems with which they exchange information. This\ninteroperability certification process addresses system interoperability\nrequirements, supportability, and total life-cycle oversight of warfighter\ninteroperability requirements.\n\n       DoD Directive 4630.5. DoD Directive 4630.5 requires that certification\nof NS and information technology systems will be cost-effective and completed\nbefore new NS and information technology systems or new capabilities or\nupgrades to existing NS and information technology systems are fielded.\n\n\n\n\n                                     18\n\x0c         DoD Instruction 4630.8. DoD Instruction 4630.8 requires the DoD\nComponents to certify which of the interoperability criteria have been met before\nproduction and fielding approval for all new or modified NS and information\ntechnology systems. Further, the Instruction requires the Chairman of the Joint\nChiefs of Staff, with the assistance of the Defense Information Systems Agency,\nto certify that interoperability and supportability requirements for NS and\ninformation technology systems are established, assessed, and verified for NS and\ninformation technology systems acquisitions before production and fielding.\n\nAccordingly, we request that the Principal Director clarify his response on\nprogram managers obtaining interoperability certifications on an exception basis.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation. For the complete text\nof the Director\xe2\x80\x99s comments, see the Management Comments section of the report.\n\n\n\n\n                                    19\n\x0c                 C. Information Assurance Testing of\n                    Army Systems\n                 The Army testers did not consistently conduct IA testing for Army\n                 acquisition programs because:\n\n                          \xe2\x80\xa2   TRADOC, as the combat developer, did not coordinate with\n                              the Army Test and Evaluation Command to fully identify IA\n                              requirements in ORDs for testing Army programs with\n                              interoperability and supportability requirements;\n\n                          \xe2\x80\xa2   combat developers at TRADOC were not aware of their roles\n                              and responsibilities in implementing the DoD Information\n                              Technology Security Certification and Accreditation Process\n                              (DITSCAP);\n\n                          \xe2\x80\xa2   the Army Chief Information Officer did not verify that\n                              program managers for Army acquisition programs with\n                              information technology requirements prepared and maintained\n                              an SSAA in accordance with the DITSCAP; and\n\n                          \xe2\x80\xa2   the Assistant Secretary of the Army (Acquisition, Logistics,\n                              and Technology) did not require SSAA signatories11 to\n                              coordinate with the Army Test and Evaluation Command\n                              throughout the acquisition cycle to minimize duplicative IA\n                              testing efforts for Army systems subject to the DITSCAP.\n\n                 As a result, milestone decision authorities could not be assured that\n                 systems developed satisfied the IA requirements of availability, integrity,\n                 authenticity, confidentiality, and nonrepudiation of information to meet\n                 warfighter requirements as envisioned in the Quadrennial Defense Review\n                 and Joint Vision 2020.\n\nDefining Information Assurance Requirements for Testing\n        TRADOC did not fully identify IA requirements in ORDs for testing Army\n        acquisition programs with interoperability and supportability requirements\n        because TRADOC did not coordinate with the Army Test and Evaluation\n        Command when developing and updating ORDs. As a result, combat developers\n        for only 3 of the 41 Army program offices surveyed included testable IA\n        requirements12 in the applicable ORDs.\n\n\n\n11\n The SSAA signatories include the information technology system program manager, the designated\n approving authority, the certification authority, and the user representative.\n12\n Testable IA requirements are written in output-oriented and measurable terms in threshold and objective\n format with criteria and rationale for each.\n\n\n                                                   20\n\x0c        Information Assurance Requirements Policy. DoD Directive 5000.1, \xe2\x80\x9cThe\n        Defense Acquisition System,\xe2\x80\x9d May 12, 2003, requires acquisition managers to\n        address IA for all weapons, C4I surveillance and reconnaissance, and\n        information technology programs that depend on external information sources\n        or that provide information to other DoD systems. In addition, DoD\n        Instruction 5000.2 requires operational tester and evaluators to assess those\n        programs. Further, Chairman of the Joint Chiefs of Staff Instruction 3170.01B,\n        \xe2\x80\x9cRequirements Generation System,\xe2\x80\x9d April 15, 2001,13 requires all DoD systems\n        that are used to enter, process, store, display, or transmit DoD information\n        regardless of classification or sensitivity to address IA. The Instruction also\n        requires the initial ORD to establish requirements describing the capabilities\n        and characteristics of the proposed system. Further, the Instruction states that\n        the requirements must be written in output-oriented and measurable terms in\n        threshold and objective format, with criteria and rationale for each.\n\n        In addition, DoD Directive 4630.5; DoD Directive 8500.1, \xe2\x80\x9cInformation\n        Assurance,\xe2\x80\x9d October 24, 2002; DoD Instruction 8500.2, \xe2\x80\x9cInformation\n        Assurance Implementation,\xe2\x80\x9d February 6, 2003; DoD Guidebook, \xe2\x80\x9cInterim\n        Defense Acquisition Guidebook,\xe2\x80\x9d October 30, 2002; Army Regulation 70-1;\n        and Army Regulation 73-1, \xe2\x80\x9cTest and Evaluation Policy,\xe2\x80\x9d January 7, 2002,\n        establish additional requirements and guidance for IA requirements generation\n        and for testing. Appendix F discusses the additional requirements and\n        guidance.\n\n        Testable Information Assurance Requirements. Based on our review of the\n        41 Army programs surveyed, we determined whether the applicable ORDs and\n        the corresponding TEMPs had IA requirements that could be measured, tested,\n        and evaluated. Although 22 of the 41 ORDs contained IA requirements, only 3 of\n        them were written in output-oriented and measurable terms.\n\n        Identifying Information Assurance Requirements for Testing. TRADOC did\n        not always identify testable IA requirements in ORDs for Army programs with\n        interoperability and supportability requirements. Conversely, in a substantial\n        number of instances, the Army Test and Evaluation Command did identify IA\n        requirements for testing in system evaluation plans (SEPs),14 even when the ORD\n        did not identify those requirements\n                Army Training and Doctrine Command. Although required by\n        Chairman of the Joint Chiefs of Staff Instruction 3170.01B and the TRADOC\n        requirements generation guidance, TRADOC personnel stated that they did not\n        require subordinate elements to develop testable IA requirements in ORDs for\n        Army programs with interoperability and supportability requirements.\n\n\n\n13\n Subsequent to the issuance of the draft audit report, the Joint Staff issued Chairman of the Joint Chiefs of\n Staff Instruction 3170.01C, \xe2\x80\x9cJoint Capabilities Integration and Development System,\xe2\x80\x9d June 24, 2003,\n canceled Chairman of the Joint Chiefs of Staff Instruction 3170.01B.\n14\n The SEP documents the integrated test and evaluation strategy, which is the evaluation strategy and the\n test and simulation execution strategy that the testers and evaluators use throughout the system\n acquisition life cycle.\n\n\n                                                     21\n\x0c           For direction in preparing an ORD, TRADOC issued a \xe2\x80\x9cGuide for Development\n           of Army Operational Requirements Documents,\xe2\x80\x9d October 2002, that provides a\n           mandatory format for all Army-developed ORDs. The Guide requires the\n           Directorates of Combat Development, as the user representatives, to address the\n           defensive measures needed to ensure that IA requirements include availability,\n           integrity, authentication, confidentiality, and nonrepudiation of the information to\n           be exchanged and used. However, the Guide does not require user representatives\n           to coordinate with Army testers to verify that IA requirements included in the\n           ORDs are testable.\n\n                    Army Test and Evaluation Command. To determine whether IA\n           requirements in ORDs could be measured, tested, and evaluated, we contacted\n           personnel from the Army Test and Evaluation Command, including\n           representatives from the Army Evaluation Center, who are responsible for\n           evaluating developmental and operational test results, and the Army Operational\n           Test Command Headquarters, who are responsible for conducting operational\n           testing.\n\n                          Army Evaluation Center. Army Evaluation Center personnel\n           stated that, when ORDs for systems with interoperability and supportability\n           requirements did not identify testable IA requirements, they added testable IA\n           requirements into the \xe2\x80\x9cAdditional Issues\xe2\x80\x9d section of the respective program\xe2\x80\x99s SEP\n           and the subsequent system evaluation report (SER)15 for testing and evaluating\n           the system\xe2\x80\x99s IA capabilities. We reviewed the SEP or SER for 9 of the\n           41 programs surveyed. For six of the nine programs, the Army Evaluation Center\n           added IA requirements in the \xe2\x80\x9cAdditional Issues\xe2\x80\x9d section of the SEPs or SERs.16\n           For the remaining three programs, the Army Evaluation Center addressed IA\n           requirements in other sections of the SEPs or SERs.\n\n                          Army Operational Test Command Headquarters. To\n           determine the effect that not having testable IA requirements in ORDs had on\n           operational test results, we met with three of the Army Operational Test\n           Command\xe2\x80\x99s subordinate directorates: the Command, Control, Communications,\n           and Computers Test Directorate, the Information and Electronic Warfare Test\n           Directorate, and the Air Defense Artillery Test Directorate.\n\n                                  Command, Control, Communications, and Computers\n           Test Directorate. The IA procedures at the Command, Control, Communications,\n           and Computers Test Directorate (the Directorate) required the operational testers\n           to plan and conduct operational testing of IA requirements in the ORD for C4I\n           acquisition programs only. For non-C4I acquisition programs, the Directorate\n           used a draft test checklist to assess IA during operational testing. However,\n           Directorate personnel advised that other subordinate directorates of the Army\n           Operational Test Command did not universally use the draft IA test checklist.\n\n\n\n15\n The SER documents independent evaluation findings and recommendations on system operational\n effectiveness, suitability, and survivability.\n16\n     The SEPs and SERs were from separate programs.\n\n\n                                                      22\n\x0c                           Information and Electronic Warfare Test Directorate.\n    Personnel at the Information and Electronic Warfare Test Directorate (the\n    Directorate) stated that their ability to test IA requirements for Army systems is\n    impaired when the ORDs for Army systems omit testable IA requirements. In\n    those cases, the Directorate cannot conduct tests to determine whether the IA for\n    those systems are operationally effective, suitable, and survivable for the intended\n    use by the warfighter.\n\n                           Air Defense Artillery Test Directorate. Personnel at the\n    Air Defense Artillery Test Directorate also stated that, when the ORDs for Army\n    systems omitted testable IA requirements, they were unable to conduct tests to\n    determine whether the IA for those systems were operationally effective, suitable,\n    and survivable for the intended use by the warfighter.\n\nCombat Developer Awareness of DITSCAP Requirements\n    Combat developers at TRADOC were not aware of their roles and\n    responsibilities in implementing the DITSCAP because the Assistant Secretary\n    of the Army (Acquisition, Logistics, and Technology) had not updated Army\n    Regulation 70-1 to identify the roles and responsibilities of combat developers\n    concerning DITSCAP requirements.\n\n    DITSCAP Requirements. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\n    Technology Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\n    December 30, 1997, establishes the DITSCAP for security certification and\n    accreditation of unclassified and classified information technology. The\n    DITSCAP sets forth the activities and management structure to certify and\n    accredit information technology systems that will maintain the security posture\n    of the Defense Information Infrastructure. Further, the Instruction states that\n    the interests of system users are vested in the user representatives, who:\n\n           \xe2\x80\xa2   are concerned with system availability, access, integrity,\n               functionality, and performance;\n\n           \xe2\x80\xa2   are the liaison for the users during the initial development of a\n               system;\n\n           \xe2\x80\xa2   define the system mission and functionality; and\n\n           \xe2\x80\xa2   ensure that the user\xe2\x80\x99s interests are maintained throughout system\n               development, modification, integration, acquisition, and\n               deployment.\n\n    Army Combat Developer Involvement in the DITSCAP. Army acquisition\n    policy did not include the DITSCAP requirements of DoD Instruction 5200.40\n    concerning the roles and responsibilities of user representatives. To determine the\n    user representatives\xe2\x80\x99 involvement and awareness of their roles and responsibilities\n    in the implementation of the DITSCAP, we interviewed cognizant personnel at\n\n\n\n                                         23\n\x0c            six Directorates of Combat Development within TRADOC. The Directorates of\n            Combat Development were located at:\n\n                    \xe2\x80\xa2    Fort Bliss, Texas;\n\n                    \xe2\x80\xa2    Fort Benning, Georgia;\n\n                    \xe2\x80\xa2    Fort Gordon, Georgia;\n\n                    \xe2\x80\xa2    Fort Knox, Kentucky;\n\n                    \xe2\x80\xa2    Fort Leonard Wood, Missouri; and\n\n                    \xe2\x80\xa2    Fort Sam Houston, Texas.\n\n            Personnel at four of six Directorates of Combat Development stated that they\n            were not involved in the implementation of the DITSCAP. Instead, they were of\n            the opinion that Army program managers were responsible for implementing the\n            DITSCAP for their respective programs. Accordingly, the Directorates of\n            Combat Development were not exercising their required roles and responsibilities\n            for resolving schedule, budget, security, functionality, and performance issues\n            associated with the DITSCAP.\n\nPreparing and Maintaining System Security Authorization\n  Agreements\n            SSAA Policy. DoD Instruction 5200.40 and Army Regulation 25-1, \xe2\x80\x9cArmy\n            Information Management,\xe2\x80\x9d May 31, 2002, provide policies and procedures\n            concerning the DITSCAP, including SSAAs\n\n                    DoD Instruction 5200.40. DoD Instruction 5200.40 states that the\n            DITSCAP applies to the acquisition, operation, and sustainment of any DoD\n            system that collects, stores, transmits, or processes unclassified or classified\n            information. Further, the Instruction states that a critical element of the\n            DITSCAP is the agreement among the information technology system program\n            manager,17 the designated approving authority, the certification authority, and\n            the user representative to resolve critical schedule, budget, security,\n            functionality, and performance issues. This agreement is documented in the\n            SSAA that is used to guide and document the results of the certification and\n            accreditation process. The SSAA establishes a binding agreement on the level\n            of security required before system development or changes begin. The SSAA is\n            used throughout the entire DITSCAP to guide actions, document decisions,\n            specify information technology security requirements, document certification\n            tailoring and level of effort, identify possible solutions, and maintain\n            operational systems security.\n\n17\n     The term program manager refers to the acquisition organization\xe2\x80\x99s program manager during the system\n     acquisition, the system manager during the operation of the system, or the maintenance organization\xe2\x80\x99s\n     program manager when a system is undergoing a major change.\n\n\n                                                      24\n\x0c        Army Regulation 25-1. Army Regulation 25-1 requires the Army Chief\nInformation Officer to validate all warfighting requirements through the review\nof appropriate requirements documents. Validation criteria will include\ncompliance with information security requirements. The Regulation also\nrequires that all information systems and networks be subjected to an established\ncertification and accreditation process, which verifies that the required levels of\nIA are achieved and sustained throughout their life cycle. Further, the\nRegulation states that information systems and networks will be certified and\naccredited in accordance with DoD Instruction 5200.40.\n\nSSAA Implementation. To determine whether Army acquisition program\noffices with information technology requirements had an SSAA, we requested\nSSAAs from the program managers for the 41 Army program offices surveyed.\nWe contacted the Army Test and Evaluation Command, which conducts the\nArmy\xe2\x80\x99s operational testing and evaluation, to determine whether it was provided\nSSAAs for use in conducting operational testing.\n\n        SSAA Survey. In the survey questionnaire on the implementation of\ninteroperability and IA requirements, we asked the program managers the\nfollowing question concerning SSAAs: Of the following documentation normally\nprovided to the milestone decision authority at the system development and\ndemonstration decision point and the production and deployment decision point,\nwhich adequately describes IA requirements and strategies? In response, 19 of the\n41 program managers believed that the SSAA best described the IA requirements\nand strategies for the system development and demonstration milestone decision\nand 28 of the 41 program managers believed that it best described the IA\nrequirements and strategies for the production and deployment milestone decision\n(Appendix D contains the results of the survey). If the program managers do not\nprepare the SSAAs before milestone decision points, the milestone decision\nauthority cannot be assured that the program manager, the designated approving\nauthority, the certification authority, and the user have all agreed on the method for\nimplementing information technology security requirements and maintaining\noperational systems security.\n\n       SSAA Request. Based on our request, 35 of the 41 Army program offices\nsurveyed provided an SSAA. We did not determine whether the contents of the\nSSAAs were adequate. However, the SSAA signatories should have prepared an\nSSAA for all 41 programs because it is the formal agreement among the\ndesignated approving authority, the certification authority, the information\ntechnology system user representative, and the program manager to guide actions,\ndocument decisions, specify information technology security requirements,\ndocument certification tailoring and level of effort, identify possible solutions, and\nmaintain operational systems security.\n\n     Army Test and Evaluation Command. The Army Operational Test\nCommand and the Army Evaluation Center within the Army Test and Evaluation\nCommand did not always receive SSAAs because the:\n\n       \xe2\x80\xa2   Army Chief Information Officer did not ensure that program managers\n           for Army acquisition programs with information technology\n\n\n\n                                     25\n\x0c                    requirements prepared and maintained an SSAA in accordance with\n                    Army Regulation 25-1, and\n\n                \xe2\x80\xa2   Assistant Secretary of the Army (Acquisition, Logistics, and\n                    Technology) had not updated Army Regulation 70-1 to require the\n                    SSAA signatories to coordinate with the Army Test and Evaluation\n                    Command throughout the acquisition cycle for Army systems subject\n                    to the DITSCAP.\n\n                       Army Operational Test Command. Personnel at the Army\n       Operational Test Command stated that Army program offices did not always\n       provide them with SSAAs even though they made repeated requests for the\n       SSAAs. Without an SSAA, the operational testers cannot adequately conduct IA\n       testing to determine whether planned and implemented security measures satisfy\n       the system\xe2\x80\x99s ORD and information technology security requirements. Further,\n       the operational testers cannot determine the level of risk associated with operating\n       the system and the extent of security testing required.\n\n                       Army Evaluation Center. Personnel at the Army Evaluation\n       Center stated that SSAAs were essential for their IA risk assessments. However,\n       the personnel stated that they did not always receive complete SSAAs from Army\n       program managers. The personnel attributed that condition to DITSCAP being\n       completely separate from the acquisition process. As a result, evaluators at the\n       Army Evaluation Center have to incorporate additional IA test requirements into\n       their SEPs to determine whether the systems with IA requirements are\n       operationally effective and suitable based on the systems availability, access,\n       integrity, functionality, and performance.\n\nCoordination of DITSCAP Testing and Program Evaluation\n       DITSCAP Coordination Requirements. DoD Instruction 5000.2; DoD\n       Guidebook, \xe2\x80\x9cInterim Defense Acquisition Guidebook,\xe2\x80\x9d October 30, 2002;18 and\n       Director, Operational Test and Evaluation memorandum, \xe2\x80\x9cPolicy for Operational\n       Test and Evaluation of Information Assurance,\xe2\x80\x9d November 17, 1999, discuss the\n       coordination of DITSCAP testing.\n              DoD Instruction. DoD Instruction 5000.2 requires the program manager,\n       together with the user and test and evaluation communities, to coordinate\n       developmental test and evaluation, operational test and evaluation, live-fire test\n       and evaluation, family-of-systems interoperability testing, IA testing, and\n       modeling and simulation activities into an efficient process, integrated with\n       requirements definition and systems design and development.\n\n               DoD Guidebook. The Guidebook states that IA testing should be\n       conducted on information systems to ensure that planned and implemented\n       security measures satisfy ORD and SSAA requirements when the system is\n       installed and operated in its intended environment. Further, the Guidebook states\n18\n Formerly DoD Regulation 5000.2-R. The former DoD Regulation 5000.2-R will serve as the guidebook\n while the Defense Acquisition Policy Working Group creates a streamlined guidebook.\n\n\n                                               26\n\x0c        that the program manager, the operational test and evaluation authority, and the\n        designated approving authority should coordinate and determine the level of risk\n        associated with operating a system and the extent of security testing19 required.20\n\n                Director, Operational Test and Evaluation Policy. Director,\n        Operational Test and Evaluation memorandum, \xe2\x80\x9cPolicy for Operational Test and\n        Evaluation of Information Assurance,\xe2\x80\x9d November 17, 1999, requires the\n        operational test agencies for programs subject to the DITSCAP to coordinate with\n        the SSAA signatories throughout the acquisition cycle to minimize duplicative\n        efforts by the operational test agencies. Further, the memorandum requires the\n        operational test agencies and the SSAA signatories to maximize opportunities to\n        meet operational requirements through concurrent testing, particularly in\n        DITSCAP vulnerability assessments, security tests and evaluations, and\n        penetration testing.\n\n        Coordination and Use of DITSCAP Test Results. To determine how\n        effectively the SSAA signatories, specifically program managers, were\n        coordinating with the Army Evaluation Center throughout the acquisition cycle to\n        minimize duplicative IA testing efforts, we contacted personnel from the Army\n        Evaluation Center and reviewed SERs. The SER documents independent\n        evaluation findings and recommendations on system operational effectiveness,\n        suitability, and survivability that enable the milestone decision authority to make\n        an informed decision concerning the readiness of the system for production.\n\n                Army Evaluation Center. Personnel at the Army Evaluation Center\n        stated that the DITSCAP is a key source of data for their IA evaluations.\n\n                        Input Into DITSCAP Testing. Personnel at the Army Evaluation\n        Center stated that the Army Evaluation Center has limited input into DITSCAP\n        testing and that its input to the DITSCAP depends on the individual program\n        manager. Although the DITSCAP does not define a role for the Army Test and\n        Evaluation Command, the personnel stated that the Army Evaluation Center\n        identifies the IA requirements for the test and evaluation process and informs the\n        program manager when the Army Test and Evaluation Command will conduct an\n        IA evaluation on the system. The Army Evaluation Center relies on DITSCAP\n        testing to assess whether the system satisfied IA requirements; however, the\n        personnel stated that program managers did not always provide the results of the\n        DITSCAP test results in time for inclusion in their SER. As a result, not all Army\n        SERs contain an evaluation of whether the system satisfies IA requirements.\n\n                        Specific Army Guidance. Army Pamphlet 73-1, \xe2\x80\x9cTest and\n        Evaluation in Support of System Acquisition,\xe2\x80\x9d February 28, 1997, does not\n        clearly state the Army Evaluation Center\xe2\x80\x99s responsibilities regarding the testing of\n        system IA requirements.21 To compensate, the Army Evaluation Center was\n19\n Security testing is the examination and analysis of the safeguards, which are required to protect an\n information technology system, to determine the security posture of that system.\n20\n The April 2002 and the June 2001 versions of DoD Regulation 5000.2-R have these same requirements\n as the DoD Guidebook.\n21\n Army Regulation 25-1, \xe2\x80\x9cArmy Information Management,\xe2\x80\x9d May 31, 2002; also did not address the testers\n roles and responsibilities regarding information management.\n\n\n                                                    27\n\x0c     using the procedures in the Director, Operational Test and Evaluation policy\n     memorandum to determine whether DITSCAP testing of system IA requirements\n     was sufficient or whether the system required additional IA testing during\n     operational testing. On May 30, 2003, the Army Test and Evaluation\n     Management Agency issued an update to Army Pamphlet 73-1. The IA section of\n     the update states that the system evaluator must ensure that software is evaluated,\n     independently tested, and verified to ensure it meets the minimum standards for\n     security and reliability prior to release for operation. The Army Test and\n     Evaluation Command was incorporating the guidance from the Director,\n     Operational Test and Evaluation policy memorandum into an Army Evaluation\n     Center handbook.\n\n             System Evaluation Reports. Of the 41 Army programs surveyed, we\n     identified 5 programs where the Army Evaluation Center used Army Operational\n     Test Command results from tests conducted in 2002 to prepare SERs. For three\n     of the five SERs, the Army Evaluation Center stated in the applicable SERs that\n     DITSCAP test data were not available to the evaluators to use as a data source for\n     their IA evaluations. For the remaining two SERs, the Army Evaluation Center\n     used DITSCAP test data in its IA evaluations.\n\n     The Army Evaluation Center also identified two additional SERs that resulted\n     from 2002 test results for systems other than the 41 Army programs that we\n     surveyed. DITSCAP test data was not available to the Army Evaluation Center in\n     preparing those IA evaluations. The Army Evaluation Center attributed the\n     nonavailability of DITSCAP test data to the need for an Army requirement for the\n     SSAA signatories, including the applicable program managers, to coordinate with\n     the Army Test and Evaluation Command throughout the acquisition cycle for\n     Army systems subject to the DITSCAP. As a result, the Army Test and\n     Evaluation Command did not always have the DITSCAP test results for use in\n     system evaluations to advise the decision review principals and milestone\n     decision authority on the adequacy of testing; the system\xe2\x80\x99s effectiveness,\n     suitability, and survivability; as well as recommendations for future test and\n     evaluation and system improvements.\n\nEffect of the Availability of IA Testing Results\n     Because Army testers did not conduct IA testing and evaluation before system\n     production decisions, milestone decision authorities did not have assurance that\n     systems developed satisfied the IA requirements of availability, integrity,\n     authenticity, confidentiality, and nonrepudiation of information to meet\n     warfighter requirements as envisioned in the Quadrennial Defense Review and\n     Joint Vision 2020.\n\nManagement Comments on the Finding\n     Although not required to comment, the Director, Operational Test and Evaluation\n     agreed with the finding. For the complete text of the Director\xe2\x80\x99s comments, see\n     the Management Comments section of the report.\n\n\n                                         28\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    C.1. We recommend that the Assistant Secretary of the Army (Acquisition,\n    Logistics, and Technology), in coordination with the Director, Test and\n    Evaluation Management Agency, update Army Regulation 70-1, \xe2\x80\x9cArmy\n    Acquisition Policy,\xe2\x80\x9d December 15, 1997, to:\n\n           a. Require the Army Training and Doctrine Command to coordinate\n    with the Army Test and Evaluation Command:\n\n                  (1) When developing testable information assurance\n    requirements for inclusion in operational requirements documents for new\n    Army acquisition programs with interoperability and supportability\n    requirements.\n\n                  (2) When updating existing operational requirements\n    documents for Army acquisition programs with interoperability and\n    supportability requirements to ensure that those documents have testable\n    information assurance requirements.\n\n    Acting Deputy for Systems Management, Office of the Assistant Secretary of\n    the Army (Acquisition, Logistics, and Technology) Comments. The Acting\n    Deputy concurred, stating that the Army is updating Army Regulation 70-1 and\n    expects to publish it in late November 2003. Further, he stated that the Army will\n    not repeat requirements in the DoD 5000 series or Army Regulation 73-1 in the\n    updated regulation. The Acting Deputy also stated that this approach meets the\n    intent of the recommendations in the report to ensure that:\n\n           \xe2\x80\xa2   program managers develop C4I support plans,\n\n           \xe2\x80\xa2   program managers achieve joint interoperability testing and\n               certifications for their systems,\n\n           \xe2\x80\xa2   testable IA requirements are clearly identified, and\n\n           \xe2\x80\xa2   the DITSCAP identifies the responsibilities of the combat developers.\n\n    For the complete text of the Acting Deputy\xe2\x80\x99s comments, see the Management\n    Comments section of the report.\n\n    Principal Director for Enterprise Integration Comments. Although not\n    required to comment, the Principal Director disagreed with the recommendation,\n    stating that we should revise the recommendation because including testable IA\n    requirements in new or updated ORDs would neither eliminate duplicative testing\n    nor meet DITSCAP requirements. The Principal Director also stated that, to meet\n\n\n\n\n                                        29\n\x0cDITSCAP requirements, the designated approving authority, the certification\nauthority, the program manager, and the user representative must:\n\n       \xe2\x80\xa2   determine the applicable governing national, DoD, and Army security\n           requirements, network connection rules, and configuration\n           management requirements for a system; and\n\n       \xe2\x80\xa2   agree on the security and certification level for the system based on\n           those requirements.\n\nIn addition, he stated that those requirements are documented in an applicable\nRequirements Traceability Matrix, which is a DITSCAP-required appendix to the\nassociated SSAA. The Principal Director also stated that the system must be\ntested against those requirements in the Requirements Traceability Matrix, not\nthose in the ORD. Further, he stated that the results of the certification tests\nshould be available to the designated approving authority, the program manager,\nand the user representative before the system undergoes operational testing. The\nPrincipal Director also stated that the certification authority, who must be\nindependent from the program manager, is one of the signatories of the SSAA.\nFor the complete text of the Principal Director\xe2\x80\x99s comments, see the Management\nComments section of the report.\n\nAudit Response. The Principal Director\xe2\x80\x99s comments conflict with DoD\nguidance. Including testable IA requirements in new or updated ORDs should\nminimize duplicative testing and meet DITSCAP requirements as stipulated in\nDoD Instruction 5000.2 and Director, Operational Test and Evaluation\nmemorandum, \xe2\x80\x9cPolicy for Operational Test and Evaluation of Information\nAssurance.\xe2\x80\x9d In addition, the DoD Guidebook states that IA testing should be\nconducted on information systems to ensure that planned and implemented\nsecurity measures satisfy ORD and SSAA requirements when the system is\ninstalled and operated in its intended environment. Further, DoD\nManual 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d\nJuly 31, 2000, states that the SSAA is to be tailored to meet the characteristics of\nthe information system, operational requirements, security policy, and prudent\nrisk management. Tailoring permits the DITSCAP to remain responsive to\noperational requirements and priorities.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation. For the complete text\nof the Director\xe2\x80\x99s comments, see the Management Comments section of the report.\n\n      b. Identify roles and responsibilities of combat developers in the DoD\nInformation Technology Security Certification and Accreditation Process.\n\nActing Deputy for Systems Management Comments. The Acting Deputy\nconcurred, stating that the Army is updating Army Regulation 70-1 to ensure that\nthe DITSCAP identifies the responsibilities of the combat developers.\n\nPrincipal Director for Enterprise Integration Comments. Although not\nrequired to comment, the Principal Director agreed with the recommendation,\n\n\n                                     30\n\x0cstating that the Army is replacing Army Regulation 380-19, \xe2\x80\x9cInformation Systems\nSecurity,\xe2\x80\x9d February 27, 1998, with Army Regulation 25-IA that will define\nDITSCAP roles and responsibilities for the designated approving authority, the\nprogram manager, and the certification authority. Further, he agreed with\ndesignating TRADOC as the user representative in Army Regulation 70-1.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation.\n\n       c. Require the system security authorization agreement signatories to\ncoordinate with the Army Test and Evaluation Command throughout the\nacquisition cycle for Army systems subject to the DoD Information\nTechnology Security Certification and Accreditation Process.\n\nActing Deputy for Systems Management Comments. The Acting Deputy\nconcurred, stating that the Army is updating Army Regulation 70-1 to ensure that\ntestable IA requirements are clearly identified.\n\nPrincipal Director for Enterprise Integration Comments. Although not\nrequired to comment, the Principal Director stated that the report implies that the\nArmy Test and Evaluation Command should act in the capacity of the DITSCAP\ncertification authority. Further, he stated that, in the long term, the\nrecommendation has merit; however, for the Army Test and Evaluation\nCommand to perform the DITSCAP certification tests, the Command must\nemploy personnel who can meet or exceed the qualifications and standards of the\nNational Security Telecommunications and Information Systems Security\nInstruction 4015 and the Army Regulation 380-53, \xe2\x80\x9cInformation Systems Security\nMonitoring,\xe2\x80\x9d April 29, 1998.\n\nAudit Response. The intent of the recommendation was not to have the Army\nTest and Evaluation Command act as the DITSCAP certification authority, but\ninstead, to have SSAA signatories coordinate with the Army Test and Evaluation\nCommand so that the Command would have DITSCAP test results in time for\ninclusion in their SERs.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation.\n\nC.2. We recommend that the Army Chief Information Officer validate all\nwarfighting requirements through the review of appropriate requirements\ndocuments to ensure that a system security authorization agreement has been\nprepared for Army systems subject to the DoD Information Technology\nSecurity Certification and Accreditation Process, in accordance with Army\nRegulation 25-1, \xe2\x80\x9cArmy Information Management,\xe2\x80\x9d May 31, 2002.\n\nPrincipal Director for Enterprise Integrations Comments. The Principal\nDirector, responding for the Army Chief Information Officer, concurred, stating\nthat Army Regulation 380-19, which is being replaced with Army\nRegulation 25-IA, is the governing regulation for the certification and\naccreditation of Army systems. Further, he stated that the Army Information\nAssurance Directorate validates security requirements for Army systems by\n\n\n                                    31\n\x0cconducting reviews of capability development documents (formerly called ORDs)\nand SSAAs. The Principal Director also stated that the Army Information\nTechnology Security Registry is being enlarged to include the security parameters\nof Army information technology systems required by the Federal Information\nSecurity Management Act. In addition, he stated that the Army Information\nTechnology Security Registry will track the accreditation status of information\ntechnology systems as well as other security-relevant parameters. The Principal\nDirector stated that the Information Assurance Directorate assesses IA strategies,\nrequired by Section 8088 of the Clinger Cohen Act, which support system\nmilestone decisions.\n\nDirector, Operational Test and Evaluation Comments. Although not required\nto comment, the Director agreed with the recommendation.\n\n\n\n\n                                    32\n\x0cAppendix A. Scope and Methodology\n   We reviewed documentation dated from March 1994 to May 2003. To\n   accomplish the audit objective, we reviewed:\n\n          \xe2\x80\xa2   the Army\xe2\x80\x99s efforts to implement interoperability and information\n              assurance requirements during the acquisition process;\n\n          \xe2\x80\xa2   requirements documentation for interoperability and information\n              assurance requirements;\n\n          \xe2\x80\xa2   the controls over the Joint Staff (J-6) interoperability certification\n              process and the Joint Command, Control, Communications,\n              Computers, and Intelligence Program Assessment Tool; and\n\n          \xe2\x80\xa2   applicable criteria.\n\n   We also contacted the staffs of the Chairman of the Joint Chiefs of Staff; the\n   Assistant Secretary of Defense (Networks and Information Integration); the\n   Assistant Secretary of the Army (Acquisition, Logistics, and Technology); the\n   Defense Information Systems Agency; the Army Training and Doctrine\n   Command; the Office of the Army Chief Information Officer; the Army Deputy\n   Chief of Staff for Operations and Plans; the Army Test and Evaluation\n   Management Agency; the Army Test and Evaluation Command.\n\n   Further, we judgmentally selected 41 new or modified Army acquisition programs\n   with research and development funding that interface with other systems to:\n\n          \xe2\x80\xa2   obtain the program managers\xe2\x80\x99 perspectives on interoperability and\n              IA requirements;\n\n          \xe2\x80\xa2    review ORDs, C4I Support Plans, TEMPs, and SSAAs;\n          \xe2\x80\xa2    review the status of interoperability testing by the Joint\n               Interoperability Test Command; and\n           \xe2\x80\xa2 determine the stage of each program in the Joint Command, Control,\n               Communications, Computers, and Intelligence Program Assessment\n               Tool for Joint Staff (J-6) interoperability certification.\n   We performed this audit from July 2002 through June 2003 in accordance with\n   generally accepted government auditing standards. We did not review the\n   management control program because the audit focused on interoperability and\n   IA requirements and review processes; therefore, our scope was limited to those\n   specific requirements and processes.\n\n   Use of Computer-Processed Data. We did not rely on computer-processed data\n   to perform this audit.\n\n\n\n\n                                        33\n\x0c    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the DoD weapon systems acquisition high-risk area.\n\nPrior Coverage\n    During the last 5 years, the General Accounting Office, the Inspector General of the\n    DoD, and the Defense Science Board have issued five reports addressing\n    interoperability and IA requirements for Defense systems. Unrestricted General\n    Accounting Office and Inspector General of the Department of Defense reports can\n    be accessed at http://www.gao.gov and http://www.dodig.osd.mil/audit/reports,\n    respectively.\n\n    General Accounting Office (GAO)\n           GAO Report No. NSIAD-98-73, \xe2\x80\x9cJoint Military Operations: Weakness in\n           DoD\xe2\x80\x99s Process for Certifying C4I Systems\xe2\x80\x99 Interoperability,\xe2\x80\x9d March 1998\n\n    Inspector General of the Department of Defense (IG DoD)\n           IG DoD Report No. D-2003-011, \xe2\x80\x9cImplementation of Interoperability and\n           Information Assurance Policies for Acquisition of DoD Weapon\n           Systems,\xe2\x80\x9d October 17, 2002\n\n           IG DoD Report No. D-2001-176, \xe2\x80\x9cSurvey of Acquisition Manager\n           Experience using the DoD Joint Technical Architecture in the Acquisition\n           Process,\xe2\x80\x9d August 22, 2001\n\n           IG DoD Report No. D-2001-121, \xe2\x80\x9cUse of the DoD Joint Technical\n           Architecture in the Acquisition Process,\xe2\x80\x9d May 14, 2001\n\n    Defense Science Board\n           Defense Science Board Task Force, \xe2\x80\x9cProtecting the Homeland, Report of\n           the Defense Science Board Task Force on Defensive Information\n           Operations, 2000 Summer Study, Volume II,\xe2\x80\x9d March 2001\n\n\n\n\n                                        34\n\x0cAppendix B. Glossary\n   Accreditation. Accreditation is the formal declaration by the designated\n   approving authority that an information technology system is approved to operate\n   in a particular security mode using a prescribed set of safeguards at an acceptable\n   level of risk.\n\n   Acquisition Category. An acquisition category is an attribute of an acquisition\n   program that determines the program\xe2\x80\x99s level of review, decision authority, and\n   applicable procedures. The acquisition categories consist of I, major Defense\n   acquisition programs; IA, major automated information systems; II, major\n   systems; III, programs not meeting the criteria for acquisition categories I, IA, or\n   II; and IV, programs designated as such by the Army, Navy, and Marine Corps.\n\n   Advanced Concept Technology Demonstration. An advanced concept technology\n   demonstration is used to determine the military utility of proven technology and to\n   develop the concept of operations that will optimize effectiveness. Advanced\n   concept technology demonstrations are not themselves acquisition programs, but\n   are designed to provide a residual, usable capability upon completion, and\n   possibly transition into acquisition programs. Funding is programmed to support\n   the demonstration for up to 2 years in the field.\n\n   Architecture. An architecture is the structure of components, their\n   interrelationships, and the principal guidelines governing their design and\n   evolution over time.\n\n   Army Enterprise Infostructure-Transport. The Army Enterprise\n   Infostructure-Transport will establish one Army network to support all Army\n   applications. The Infostructure establishes a network-centric environment that\n   enables seamless communications, anytime, anywhere. The Army Enterprise\n   Infostructure-Transport concept is the approach that the Army will use to outline\n   how each system will interface within the GIG to achieve joint interoperability.\n\n   Capstone Requirements Document. A capstone requirements document is a\n   document that contains capabilities-based requirements that facilitate the\n   development of individual ORDs by providing a common framework and\n   operational concept to guide their development. It is an oversight tool containing\n   overarching requirements for a system-of-systems or family-of-systems.\n\n   Certification Authority. Certification authority is the official responsible for\n   performing the comprehensive evaluation of the technical and nontechnical\n   security features of an information technology system and other safeguards to\n   determine the extent to which a particular design and implementation meet a set\n   of specified security requirements.\n\n   Combat Developer. A combat developer is the command or agency that\n   formulates and documents operational concepts, doctrine, organizations, and or\n   materiel requirements (mission need statements and operational requirements\n   documents) for assigned mission areas and functions. A combat developer serves\n\n\n                                        35\n\x0cas the user representative during acquisitions for their approved materiel\nrequirements as well as doctrine and organization developments.\n\nCommand, Control, Communications, Computers, and Intelligence Support\nPlan. A C4I support plan describes system dependencies and interfaces in\nsufficient detail to enable program managers and operational testers to test\ninteroperability key performance parameters derived from information exchange\nrequirements.\n\nCommand, Control, Communications, Computers, and Intelligence\nSurveillance and Reconnaissance Architecture Framework. The C4I\nsurveillance and reconnaissance architecture framework provides rules, guidance,\nand product descriptions for developing and presenting different architectural\nviews of a given system to ensure a common denominator for understanding,\ncomparing, and integrating architectures across DoD.\n\nCritical Operational Issue. A critical operational issue is a key operational\neffectiveness issue or operational suitability issue that must be examined in the\noperational test and evaluation to determine the system\xe2\x80\x99s capability to perform its\nmission.\n\nDefense Information Infrastructure. Defense information infrastructure is the\nseamless web of communications networks, computers, software, databases,\napplications, data, security services, and other capabilities that meets the\ninformation processing and transport needs of DoD users in peace and in all\ncrises, conflict, humanitarian support, and wartime roles.\n\nDefense Information Infrastructure Common Operating Environment. The\nDefense Information Infrastructure Common Operating Environment is a mission\napplication independent architecture comprising reusable software and a set of\nguidelines based on the Joint Technical Architecture.\n\nDesignated Approving Authority. The designated approving authority is an\nofficial with the authority to formally assume responsibility for operating a\nsystem at an acceptable level of risk. The term designated approving authority is\nsynonymous with designated accrediting authority and delegated accrediting\nauthority.\n\nDevelopmental Test and Evaluation. Developmental test and evaluation is any\nengineering type of test used to verify the status of technical progress, verify that\ndesign risks are minimized, substantiate achievement of contract technical\nperformance, and certify readiness for initial operational testing. Generally, those\ntests are instrumented and measured by engineers, technicians, or soldier\noperator-maintainer test personnel in a controlled environment to facilitate failure\nanalysis.\n\nDoD Information Technology Security Certification and Accreditation\nProcess (DITSCAP). The DITSCAP is the standard DoD process for identifying\ninformation security requirements, providing security solutions, and managing\ninformation system security activities.\n\n\n\n                                     36\n\x0cDITSCAP Certification. DITSCAP certification is the comprehensive\nevaluation of the technical and nontechnical security features of an information\ntechnology system and other safeguards made in support of the accreditation\nprocess to establish the extent that a particular design and implementation meets a\nset of specified security requirements.\n\nEnterprise Architecture. An enterprise architecture is the explicit description\nand documentation of the current and desired relationships among business and\nmanagement processes and information technology. The enterprise architecture\ndescribes the \xe2\x80\x9ccurrent architecture\xe2\x80\x9d and \xe2\x80\x9ctarget architecture\xe2\x80\x9d to include the rules,\nstandards, and system life cycle information to optimize and maintain the\nenvironment that the agency wishes to create and maintain by managing its IT\nportfolio.\n\nEvolutionary Acquisition. Evolutionary acquisition is an acquisition approach\nin which the ultimate capability delivered to the user is divided into two or more\nblocks. Block 1 provides the initial deployment capability, a usable increment of\ncapability called for in the ORD. The remaining capability is provided in\nsubsequent blocks. The allocation of requirements to be achieved in each\nremaining block may be known and defined at the beginning of the block\nprogram, or may be defined for particular blocks \xe2\x80\x9clead time away\xe2\x80\x9d from the start\nof work beginning on a block, based on the user\xe2\x80\x99s increased understanding of the\ndelivered capability, the evolving threat, or available technology.\n\nGlobal Information Grid. The Global Information Grid provides the foundation\nfor network-centric warfare, information superiority, decision superiority, and\nultimately, full spectrum dominance. The GIG includes any system, equipment\nsoftware, or service that transmits information to, receives information from,\nroutes information among or interchanges information among other equipment,\nsoftware, and services. Non-GIG information technology is stand-alone, self-\ncontained, or embedded information technology that is not and will not be\nconnected to the enterprise network.\n\nInformation Assurance. Information assurance is information operations that\nmeasure, protect, and defend the information and information systems by\nensuring their availability, integrity, confidentiality, authentication and\nnonrepudiation. Information assurance provides for the restoration of information\nsystems by incorporating protection, detection, and reaction capabilities.\n\nInformation Exchange Requirements. Information exchange requirements\ncharacterize the information exchanges to be performed by a proposed system and\nidentify who exchanges what information with whom, why the information is\nnecessary, and how the users will employ that information.\n\nInformation Management. Information management consists of activities\nrequired to coordinate, plan, organize, analyze, integrate, evaluate, and control\ninformation resources effectively.\n\nInformation System. An information system is a set of information resources\norganized for the collection, storage, processing, maintenance, use, sharing,\ndissemination, disposition, display, or transmission of information. An\n\n\n                                     37\n\x0cinformation system includes automated information system applications,\nenclaves, outsourced information-technology-based processes, and platform\ninformation technology interconnections.\n\nInformation Technology. Information technology is the hardware, firmware,\nand software used as part of the information system to perform DoD information\nfunctions. Information technology includes computers, telecommunications,\nautomated information systems, automatic data processing equipment, and any\nassembly of computer hardware, software, and firmware configured to collect,\ncreate, communicate, compute, disseminate, process, store, and control data or\ninformation.\n\nInteroperability. Interoperability is the ability of systems, units, or forces to\nprovide services to or accept services from other systems, units, or forces and to\nuse the services so exchanged to operate effectively together.\n\nInteroperability Certification. Certification as it applies to interoperability is a\nformal statement of adequacy provided by a responsible agency (usually Joint\nStaff) attesting that a system has met its interoperability and supportability\nrequirements.\n\nJoint Mission Area. A joint mission area is a functional group of joint tasks and\nactivities that share a common purpose and facilitate joint force operations.\n\nJoint Operational Architecture. A joint operational architecture describes tasks\nand activities, operational elements, and information flows required to accomplish\nor support military operations; defines types of information exchanged, frequency\nof exchange, which tasks and activities are supported by information exchanges,\nand nature of information exchanges in detail sufficient to ascertain specific\ninteroperability requirements.\n\nJoint Requirements Oversight Council. The Joint Requirements Oversight\nCouncil assists the Chairman of the Joint Chiefs of Staff in identifying and\nassessing the priority of joint military requirements (including existing systems\nand equipment) to meet the national military strategy. The council, chaired by the\nVice Chairman of the Joint Chiefs of Staff and consisting of all the Vice Chiefs of\nthe Military Departments including the Assistant Commandant of the Marine\nCorps, directly supports the Defense Acquisition Board through review,\nvalidation, and approval of key cost, schedule, and performance parameters at the\nstart of the acquisition process, before each milestone review, and as requested by\nthe Under Secretary of Defense for Acquisition, Technology, and Logistics.\n\nJoint Technical Architecture. The Joint Technical Architecture is a common set\nof mandatory information technology standards, which are primarily interface\nstandards and guidelines to be used by all emerging systems and systems\nupgrades, including advanced concept technology demonstrations. The Joint0\nTechnical Architecture can be used to establish a system\xe2\x80\x99s technical architecture,\nand is applicable to all C4I and automated information systems and the interfaces\nof other key assets, such as weapon systems and sensors, with C4I systems.\n\n\n\n\n                                     38\n\x0c        Key Performance Parameters. Key performance parameters are a critical\n        subset of the performance parameters found in the ORD. Each key performance\n        parameter has a threshold and an objective value. Key performance parameters\n        represent those capabilities or characteristics so significant that failure to meet the\n        threshold value of performance can be cause for the concept or system selected to\n        be reevaluated or the program to be reassessed or terminated.\n\n        Mission Need Statement. A mission need statement is a formatted non-system-\n        specific statement containing operational capability needs that is written in broad\n        operational terms.\n\n        National Security System. A national security system is any telecommunication\n        or information system operated by the U.S. Government, whose function,\n        operation, or use involves intelligence activities, cryptologic activities related to\n        national security, command and control of military forces, equipment that is an\n        integral part of a weapon system, or is critical to the direct fulfillment of military\n        or intelligence missions.\n\n        Network-Centric Warfare. Network-centric warfare22 allows a warfighting\n        force to achieve improved information positions in the form of common\n        operational pictures that provide the basis for shared situational awareness and\n        knowledge, and a resulting increase in combat power.\n\n        Objective. The objective is the performance value that is desired by the user and\n        which the program manager is attempting to obtain. The objective value\n        represents an operationally meaningful, time critical, and cost effective increment\n        above the performance threshold for each program parameter.\n\n        Objective Force. The Objective Force will be a system of systems, networked\n        internally and externally through a responsive, reliable, mobile, non-line-of-sight,\n        and commander-and-executive-centric command and control capability. The\n        Objective Force will leverage joint/interagency reachback and Army direct\n        downlink capabilities for intelligence, personnel and force planning,\n        administration, technical engineering, information operations and logistical\n        support.\n\n        Operational Architecture View. The operational architecture view is a\n        description of the tasks and activities, operational elements, and information\n        flows required to accomplish or support a military operation.\n\n        Operational Effectiveness. Operational effectiveness is the overall degree of\n        mission accomplishment of a system when representative personnel use the\n        system in the environment planned or expected for operational employment of the\n        system, considering organization, doctrine, tactics, survivability, vulnerability,\n        and threat.\n\n\n22\n An in-depth discussion of network-centric warfare is provided in the book, Network Centric Warfare:\n Developing and Leveraging Information Superiority, 2nd Edition (Revised), by David S. Alberts, John J.\n Garstka, and Frederick P. Stein, C4I Surveillance and Reconnaissance Cooperative Research Program,\n August 1999.\n\n\n                                                  39\n\x0cOperational Requirements Document. The operational requirements document\nstates the user\xe2\x80\x99s objectives and minimum acceptable requirements for the\noperational performance of a proposed concept or system.\n\nOperational Suitability. Operational suitability is the degree to which a system\ncan be placed satisfactorily in field use with consideration being given to\navailability, compatibility, transportability, interoperability, reliability, wartime\nusage rates, maintainability, safety, human factors, manpower supportability,\nlogistic supportability, natural environmental effects, documentation, and training\nrequirements.\n\nOperational Test and Evaluation. Operational test and evaluation is field\ntesting, under realistic conditions, of any item or component of weapons,\nequipment, or munitions to determine their effectiveness and suitability for use in\ncombat by typical military users and the evaluation of the results of such tests.\n\nPenetration Testing. Penetration testing assesses a system\xe2\x80\x99s ability to withstand\nintentional attempts to circumvent system security features by exploiting\ntechnical security vulnerabilities. Penetration testing may include insider and\noutsider penetration attempts based on common vulnerabilities for the technology\nbeing used.\n\nProgram. A program is an acquisition funded by research, development, test and\nevaluation or procurement appropriations, or both, with the express objective of\nproviding a new or improved capability in response to a stated mission need or\ndeficiency.\n\nProgram Manager. Program manager refers to the acquisition organization\xe2\x80\x99s\nprogram manager during the system acquisition, the system manager during the\noperation of the system, or the maintenance organization\xe2\x80\x99s program manager\nwhen a system is undergoing a major change.\n\nRisk. Risk is a combination of the likelihood that a threat will occur, the\nlikelihood that a threat occurrence will result in an adverse effect, and the severity\nof the resulting adverse effect.\nSurvivability. Survivability is the capability of a system to avoid or withstand a\nman-made hostile environment without suffering an abortive impairment of its\nability to accomplish its designated mission.\n\nSystem. A system is the organization of hardware, software, materiel, facilities,\npersonnel, data, and services needed to perform a designated function with\nspecified results, such as the gathering of specified data, its processing, and\ndelivery to users.\n\nSystem Evaluation Plan (SEP). The SEP documents the integrated test and\nevaluation strategy, which the testers and evaluators use throughout the system\nacquisition life cycle. The SEP:\n\n       \xe2\x80\xa2   addresses system critical operational issues and criteria, critical\n           technical parameters, and additional evaluation focus areas;\n\n\n                                     40\n\x0c       \xe2\x80\xa2   identifies data needs and sources, and the approach to be used to\n           evaluate the system;\n\n       \xe2\x80\xa2   specifies the analytical plan; and\n\n       \xe2\x80\xa2   identifies program constraints.\n\nThe SEP details the evaluator\xe2\x80\x99s planned actions for the evaluation of the system\nand is prepared and updated by the system evaluator.\n\nSystem Evaluation Report (SER). The SER documents independent evaluation\nfindings and recommendations on system operational effectiveness, suitability,\nand survivability. The SER addresses and answers the critical operational issues\nand additional evaluation focus areas in the SEP. The system evaluator produces\na SER to advise the decision review principals and milestone decision authority\nconcerning the adequacy of testing, the system\xe2\x80\x99s effectiveness, suitability, and\nsurvivability, as well as recommendations for future test and evaluation and\nsystem improvements. The SER enables the milestone decision authority to make\nan informed decision on system production.\n\nSystem Evaluator. The system evaluator is an Army command or agency that\nassesses program effectiveness, suitability, and survivability (or progress towards\nachieving these) during each phase in the system\xe2\x80\x99s life cycle. Further, the system\nevaluator is responsible for planning, conducting, and reporting the system\nevaluation or assessment.\n\nSystem-of-Systems. System-of-systems, also known as a family-of-systems, is\nseveral independent programs which, when integrated, form a system to meet the\nneeds of a broad mission area such as missile defense. The performance of the\nindividual component programs making up the system-of-systems is specified in\nthe respective program ORDs; the overarching requirements for the\nsystem-of-systems are contained in a CRD.\n\nSystem Security Authorization Agreement. The system security authorization\nagreement is a formal agreement among the designated approving authority, the\ncertification authority, the information technology system user representative, and\nthe program manager. The agreement is used throughout the entire DITSCAP to\nguide actions, document decisions, specify information technology security\nrequirements, document certification tailoring and level-of-effort, identify\npotential solutions, and maintain operational systems security.\n\nSystem Security Authorization Agreement Signatories. The system security\nauthorization agreement signatories include the information technology system\nprogram manager, the designated approving authority, the certification authority,\nand the user representative.\n\nTechnical Architecture View. A technical architecture view is a minimal set of\nrules governing the arrangement, interaction, and interdependence of system parts\nor elements, whose purpose is to ensure that a conformant system satisfies a\nspecified set or requirements.\n\n\n\n                                    41\n\x0cTest and Evaluation Master Plan. The test and evaluation master plan\ndocuments the overall structure and objectives of the test and evaluation program.\nIt provides a framework within which to generate detailed test and evaluation\nplans and it documents schedule and resource implications associated with the\ntest and evaluation program. The test and evaluation master plan identifies the\nnecessary developmental test and evaluation, operational test and evaluation, and\nlive-fire test and evaluation activities. Further, the test and evaluation master plan\nrelates program schedule, test management strategy and structure, and required\nresources to critical operational issues, critical technical parameters, objectives\nand thresholds documented in the operational requirements document, evaluation\ncriteria, and milestone decision points.\n\nTest Integration Working Group. The Test Integration Working Group\nfacilitates the integration of test requirements through close coordination among\nthe materiel developer, combat developer, logistician, and developmental and\noperational testers to minimize development time and cost and preclude\nduplication between developmental and operational testing.\n\nThreshold. Threshold is the minimum acceptable value that, in the user\xe2\x80\x99s\njudgment, is necessary to satisfy the need. If threshold values are not achieved,\nprogram performance is seriously degraded, the program may be too costly, or the\nprogram may no longer be timely.\n\nUser Representative. The user representative is the liaison for the user or the\nuser community, particularly during the initial development of a system. The user\nrepresentative is the individual or organization that represents the user community\nin the specification, acquisition and maintenance of information technology\nsystem. The user representative defines the system mission and functionality and\nis responsible for ensuring that the user\xe2\x80\x99s interests are maintained throughout\nsystem development, modification, integration, acquisition, and deployment.\n\nValidation. Validation is an authoritative act or process of supporting or\ncorroborating whether information technology and NS system interoperability and\nsupportability requirements are appropriate.\n\nVerification. Verification is the act of establishing whether information\ntechnology and NS system interoperability requirements are accurate, measurable,\nsupportable, and adequately reflected in a system or family of systems' acquisition\nstrategy, test and evaluation plan, or in non-materiel or non-traditional acquisition\ninformation technology and NS system interoperability plans.\n\nVulnerability. Vulnerability is the characteristics of a system that cause it to\nsuffer a definite loss or reduction of capability to perform its designated mission\nas a result of having been subjected to a certain level of effects in a man-made\nhostile environment.\n\n\n\n\n                                     42\n\x0cAppendix C. Global Information Grid\n           Global Information Grid. The GIG provides the foundation for network-centric\n           warfare, information superiority, decision superiority, and ultimately full\n           spectrum dominance as depicted in the figure below.\n\n\n\n\n           Foundation for Achieving Full Spectrum Dominance23\n\n           The concept of the GIG evolved from concerns about the interoperability and\n           end-to-end integration of automated information systems. Issues such as\n           streamlined management and improved information infrastructure investment also\n           contributed to the heightened interest in a GIG. However, the real demand for a\n           GIG originates from the requirement for information and decision superiority to\n           achieve full spectrum dominance, as expressed in Joint Vision 2020. The ability\n           to achieve shared situational awareness and knowledge among all elements of a\n           joint force, including allied and coalition partners, is increasingly viewed as a\n           cornerstone to transform future warfighting capabilities.\n\n           Network-Centric Warfare. The GIG capstone requirements document states\n           that network-centric warfare allows a warfighting force to achieve improved\n           information positions in the form of common operational pictures that provide the\n           basis for shared situational awareness and knowledge, and a resulting increase in\n           combat power.\n\n           Information Superiority. Information superiority is the capability to collect,\n           process, and disseminate an uninterrupted flow of information while exploiting or\n           denying an adversary\xe2\x80\x99s ability to do the same. Information superiority is\n           achieved in a noncombat situation or one in which there are no clearly defined\n           adversaries when friendly forces have the information necessary to achieve\n           operational objectives. Information superiority provides the joint force with a\n           competitive\n23\n     Figure obtained from the GIG Capstone Requirements Document, August 30, 2001.\n\n\n                                                   43\n\x0cadvantage only when it is effectively translated into superior knowledge and\ndecisions. The joint force must be able to take advantage of superior information\nconverted to superior knowledge to achieve \xe2\x80\x9cdecision superiority.\xe2\x80\x9d\n\nDecision Superiority. Decision superiority is to arrive at better decisions and\nimplement them faster than an opponent can react, or in a noncombat situation, at\na tempo that allows the force to shape the situation or react to changes and\naccomplish its mission. Decision superiority does not automatically result from\ninformation superiority. Organizational and doctrinal adaptation, relevant\ntraining and experience, and the proper command and control mechanisms and\ntools are equally necessary.\n\nFull Spectrum Dominance. The transformation of the joint force to reach full\nspectrum dominance rests upon information superiority as a key enabler and our\ncapacity for innovation. The label full spectrum dominance implies that U.S.\nForces are able to conduct prompt, sustained, and synchronized operations with\ncombinations of forces tailored to specific situations and with access to and\nfreedom to operate in all domains: space, sea, land, air, and information.\nAdditionally, given the global nature of our interests and obligations, the United\nStates must maintain its overseas presence forces and the ability to rapidly project\npower worldwide in order to achieve full spectrum dominance.\n\n\n\n\n                                     44\n\x0cAppendix D. Army Interoperability and\n            Information Assurance Survey\n            Results\n                                                                                    Number of\n                                                                                     Program\n                                                                                    Managers\n         Survey Question                            Survey Answers                  Responded\n\n1. What acquisition category is       a. Acquisition Category I AM or                    0\n   your program?                           Acquisition Category I AC                     9\n                                      b. Acquisition Category I D or Acquisition        13\n                                           Category I                                   14\n                                      c. Acquisition Category II                         4\n                                      d. Acquisition Category III\n                                      e. Other\n2. What type of system is your        a. NS system                                      14\n   program?                           b. Information technology system (that is          5\n                                           not an NS system)                             8\n                                      c. Weapon system                                   8\n                                      d. Automated information system                    5\n                                      e. None of the above\n3. What is the last milestone your    a. Pre-acquisition (e.g., science and              1\n   program completed?                      technology, concept development,\n                                           demonstration)\n                                      b. Milestone A (or 0)                              3\n                                      c. Milestone B (or II or system                   13\n                                           development and demonstration)                4\n                                      d. Milestone C (or III or operational             14\n                                           system development)\n                                      e. Beyond Milestone C (or full-rate                6\n                                           production)\n                                      f. Other\n\n4. Which joint mission area does      a.   Dominant maneuver                            12\n   your program support? Select       b.   Deployment redeployment                       3\n   the appropriate answer based on    c.   Precision engagement                          7\n   the Chairman of the Joint Chiefs   d.   Strategic deterrence                          0\n   of Staff Memorandum                e.   Overseas presence and force projection        7\n   (CM-1014-00), \xe2\x80\x9cJoint Mission       f.   Special operations                            1\n   Areas to Organize the Joint        g.   Joint command and control                    11\n   Operational Architectures.\xe2\x80\x9d        h.   Information superiority                      14\n                                      i.   Focused logistics                             3\n                                      j.   Full dimensional protection                   7\n                                      k.   Multinational operations/                     4\n                                             interagency coordination\n                                      l.   Other                                        14\n\n\n\n\n                                            45\n\x0c                                                                                 Number of\n                                                                                  Program\n                                                                                 Managers\n         Survey Question                            Survey Answers               Responded\n\n5. For information technology or       a. Yes                                        31\n   NS systems, the ORD must            b. No                                          8\n   include interoperability            c. Unsure                                      2\n   requirements, thus requiring an\n   interoperability key performance\n   parameter. These systems must\n   also have related elements of IA.\n   In this respect, do you think IA is\n   a subcomponent of\n   interoperability?\n\n6. Should IA requirements be tested    a. Yes                                        34\n   in addition to interoperability     b. No                                          3\n   requirements?                       c. Unsure                                      3\n\n7. Has the Joint Staff J-6 certified   a. Yes                                        17\n   your program\xe2\x80\x99s ORD for              b. No, the ORD has not been through the        8\n   interoperability requirements?           process yet.\n                                       c. No, the ORD went through the process        1\n                                            but was not certified\n                                       d. In process                                  8\n                                       e. Unsure                                      7\n\n8. Is your program part of the GIG     a. Yes                                        17\n   asset inventory?                    b. No                                         11\n                                       c. Unsure                                     12\n9. How is your program compatible      a. Uses current defense information           12\n   with the GIG? Select all that          switched network services\n   apply.                              b. Uses approved allocated frequency          17\n                                          plans\n                                       c. Uses approved cryptology                   18\n                                       d. Meets appropriate standards (e.g.,         29\n                                          defense information infrastructure\n                                          common operating environment\n                                          compliance)\n                                       e. None of the above                           3\n                                       f. Other                                       5\n                                       g. Unsure                                      1\n\n\n\n\n                                            46\n\x0c                                                                                  Number of\n                                                                                   Program\n                                                                                  Managers\n         Survey Question                             Survey Answers               Responded\n\n10. Which Army oversight               a. Program executive officer/milestone         16\n    entity(ies) or command(s)             decision authority\n    ensures that your Acquisition      b. Army Deputy Chief of Staff for               7\n    Category I AM, I AC, I D, or I C      Programs\n    operates with other Defense        c. Assistant Secretary of the Army             10\n    agency and Military Department        (Acquisition, Logistics, and\n    acquisition programs as               Technology)\n    envisioned by the warfighter.      d. Army Test Command                            9\n                                       e. TRADOC                                      12\n                                       f. Deputy of Information Systems for C4I       10\n                                       g. Army Materiel Command                        1\n                                       h. Army Intelligence and Security               3\n                                          Command\n                                       i. Joint Staff J-6                              6\n                                       j. U.S. Joint Forces Command (J-6)              3\n                                       k. Other                                       23\n\n11. Which Army oversight               a. Program executive officer/milestone         29\n    entity(ies) or command(s)             decision authority\n    ensures that your Acquisition      b. Army Deputy Chief of Staff for               5\n    Category II or below program          Programs\n    operates with other Defense        c. Assistant Secretary of the Army             10\n    agency and Military Department        (Acquisition, Logistics, and\n    acquisition programs as               Technology)\n    envisioned by the warfighter.      d. Army Test Command                            3\n                                       e. TRADOC                                      11\n                                       f. Deputy of Information Systems for C4I       10\n                                       g. Army Materiel Command                        6\n                                       h. Army Intelligence and Security               1\n                                          Command                                      1\n                                       i. Other                                        8\n\n12. Of the following documentation     a.   ORD                                       31\n    normally provided to the           b.   CRD                                        8\n    milestone decision authority at    c.   C4I support plan                          21\n    Milestone B, which documents       d.   TEMP                                      24\n    fully describe interoperability    e.   Developmental test results                12\n    requirements and strategies?       f.   Operational test results                  11\n    Select all that apply.             g.   SEP                                       11\n                                       h.   Event design plan                          9\n                                       i.   Operational architecture view             18\n                                       j.   Systems architecture view                 16\n                                       k.   Technical architecture view               15\n                                       l.   Security plans                            13\n                                       m.   Other                                      9\n                                       n.   None                                       2\n\n\n\n\n                                             47\n\x0c                                                                           Number of\n                                                                            Program\n                                                                           Managers\n         Survey Question                            Survey Answers         Responded\n\n13. Of the following documentation    a.   ORD                                 32\n    normally provided to the          b.   CRD                                  8\n    milestone decision authority at   c.   C4I support plan                    23\n    Milestone C, which documents      d.   TEMP                                29\n    fully describe interoperability   e.   Developmental test results          20\n    requirements and strategies?      f.   Operational test results            23\n    Select all that apply.            g.   SEP                                 18\n                                      h.   Event design plan                    9\n                                      i.   Operational architecture view       16\n                                      j.   Systems architecture view           16\n                                      k.   Technical architecture view         17\n                                      l.   Security plans                      13\n                                      m.   Other                                6\n                                      n.   None                                 0\n\n14. Of the following documentation    a.   ORD                                 19\n    normally provided to the          b.   CRD                                  4\n    milestone decision authority at   c.   C4I support plan                    15\n    Milestone B, which documents      d.   TEMP                                13\n    fully describe IA requirements    e.   SSAA                                20\n    and strategies? Select all that   f.   Developmental test results           5\n    apply.                            g.   Operational test results             7\n                                      h.   SEP                                  7\n                                      i.   Event design plan                    3\n                                      j.   Operational architecture view        8\n                                      k.   Systems architecture view            6\n                                      l.   Technical architecture view          6\n                                      m.   Security plans                      11\n                                      n.   Other                                7\n                                      o.   None                                 2\n\n15. Of the following documentation    a.   ORD                                 22\n    normally provided to the          b.   CRD                                  5\n    milestone decision authority at   c.   C4I support plan                    18\n    Milestone C, which documents      d.   TEMP                                19\n    fully describe IA requirements    e.   SSAA                                29\n    and strategies? Select all that   f.   Developmental test results          12\n    apply.                            g.   Operational test results            13\n                                      h.   System evaluation plan              12\n                                      i.   Event design plan                    5\n                                      j.   Operational architecture view       10\n                                      k.   Systems architecture view           10\n                                      l.   Technical architecture view          8\n                                      m.   Security plans                      16\n                                      n.   Other                                7\n                                      o.   None                                 1\n\n\n\n\n                                            48\n\x0c                                                                                        Number of\n                                                                                         Program\n                                                                                        Managers\n         Survey Question                                Survey Answers                  Responded\n\n16. The inclusion of IA requirements     a. I agree                                         31\n    in an ORD would benefit from         b. I disagree                                       6\n    the addition of high-level           c. I am unsure                                      2\n    information exchange\n    requirements. (See Chairman of\n    the Joint Chiefs of Staff\n    Instruction 3170.01B,\n    \xe2\x80\x9cRequirements Generation\n    System.\xe2\x80\x9d)\n17. The ORD must define                  a. I agree                                         33\n    information exchange                 b. I disagree                                       5\n    requirements for information         c. I am unsure                                      1\n    technology and NS system\n    acquisition programs.\n18. IA should be a key performance       a. I agree                                         22\n    parameter in my acquisition          b. I disagree                                      12\n    program that must exchange data      c. I am unsure                                      2\n    external to the information\n    technology and NS system, or\n    weapon system\xe2\x80\x99s host platform.\n\n19. My acquisition program will          a.   Public key infrastructure                      7\n    include the following IA security    b.   Firewalls                                     17\n    techniques or technologies           c.   Smart cards                                    3\n    before production. Select all that   d.   Passwords                                     34\n    apply.                               e.   Encryption/decryption                         27\n                                         f.   Physical security                             31\n                                         g.   Frequency hopping                             16\n                                         h.   Restoration of capability                     20\n                                         i.   None of the above                              0\n                                         j.   Other ____                                     8\n20. My acquisition program will          a.   Public key infrastructure                      9\n    include the following IA security    b.   Firewalls                                     16\n    techniques or technologies after     c.   Smart cards                                    6\n    production. Select all that apply.   d.   Passwords                                     31\n                                         e.   Encryption/decryption                         27\n                                         f.   Physical security                             30\n                                         g.   Frequency hopping                             17\n                                         h.   None of the above                              2\n                                         i.   Other                                         10\n\n21. List all IA products that are        The program offices identified different           32\n    commercial off-the-shelf             commercial off-the-shelf products. A list of\n    products related and/or              the products identified is available upon\n    integrated into your acquisition     request.\n    program.\n\n\n\n                                               49\n\x0c                                                                                Number of\n                                                                                 Program\n                                                                                Managers\n         Survey Question                               Survey Answers           Responded\n\n22. Are all the products listed in        a. Yes                                    10\n    question 21 certified for IA by       b. No                                     14\n    the National Security Agency?         c. Unsure                                  5\n\n23. Do you plan to have all products      a. Yes                                     6\n    listed in question 21 certified for   b. No                                     12\n    IA by the National Security           c. If no, why not?                        11\n    Agency? Answer if question 22\n    was No.\n\n\n24. Do fluctuations in funding and        a. Yes                                    24\n    prioritization affect system          b. No                                     12\n    development as it relates to          c. If so, how?                            12\n    interoperability requirements?\n\n25. Is your program in compliance         a. Yes                                    34\n    with the Clinger-Cohen Act?           b. No                                      2\n                                          c. If no, why not?                         5\n26. Do you believe the GIG                a. Yes                                    22\n    currently addresses all IA            b. No                                     11\n    requirements?                         c. If no, what does it not address?       11\n\n\n\n\n                                               50\n\x0cAppendix E. Army Programs Surveyed\n1.    Army Airborne Command and Control             22. Joint Surveillance Target Attack\n        System                                            Radar System-Common Ground\n                                                          Sensor\n2.    Advanced Field Artillery Tactical Data\n        System Control System                       23. Joint Tactical Ground Station\n3.    Army Key Management System                    24. Joint Tactical Radio System\n4.    Air and Missile Defense Planning              25. Land Warrior Integrated Soldier\n        Control Systems                                   Fighting System\n5.    All Source Analysis System                    26. Medical Communications for Combat\n                                                          Casualty Care\n6.    Aviation Combined Arms Tactical\n        Trainer                                     27. Maneuver Control System\n7.    Close Combat Tactical Trainer                 28. Medium Extended Air Defense\n                                                          System\n8.    Combat Service Support Control\n        System                                      29. Mobile Tower System\n9.    Defense Message System-Army                   30. Movement Tracking System\n10.   Enhanced Position Location Reporting          31. Mounted Warrior Soldier System\n        System                                            Cordless Communications\n11.   Forward Area Air Defense Command,             32. Phased Array Tracking to Intercept of\n        Control and Intelligence                          Target (PATRIOT) Advanced\n                                                          Capability-3\n12.   Force XXI Battle Command Brigade-\n        and-Below                                   33. Profiler\n13.   Firefinder AN/TPQ-47                          34. Prophet\n14.   Global Combat Support System-Army             35. Sentinel\n15.   Global Positioning System Tactical            36. Single Channel Ground and Airborne\n        Receivers                                         Radio System\n16.   Guardrail/Common Sensor                       37. Spitfire\n17.   Integrated Meteorological System              38. Transformation Coordinators\xe2\x80\x99-\n                                                          Automated Information for\n18.   Integrated System Control                           Movements System II\n19.   Joint Land Attack Cruise Missile              39. Tactical Exploitation System\n        Defense Elevated Netted Sensor\n        System                                      40. Tactical Unmanned Aerial Vehicle\n20.   Joint Network Management System               41. Warfighter Simulation System\n21.   Joint Service Lightweight Stand-off\n        Chemical Agent Detector\n\n\n\n\n                                               51\n\x0cAppendix F. Information Assurance\n            Requirements Policy\n        DoD Directive 4630.5; DoD Directive 5000.1; DoD Directive 8500.1; DoD\n        Instruction 5000.2; DoD Guidebook, \xe2\x80\x9cInterim Defense Acquisition Guidebook;\xe2\x80\x9d24\n        Chairman of the Joint Chiefs of Staff Instruction 3170.01B; Army\n        Regulation 70-1; and Army Regulation 73-1 discuss information assurance (IA)\n        requirements generation and testing.\n\n        DoD Directive 4630.5. DoD Directive 4630.5 requires interoperability and\n        supportability requirements to be balanced with the need for IA. Further,\n        the Directive requires the DoD Components to ensure that program managers\n        and testers prepare test and evaluation plans for all information technology and\n        NS systems.\n\n        DoD Directive 5000.1. DoD Directive 5000.1 requires acquisition managers to\n        address IA for all weapon, C4I surveillance and reconnaissance, and information\n        technology programs that depend on external information sources or that provide\n        information to other DoD systems.\n\n        DoD Directive 8500.1. DoD Directive 8500.1 requires the DoD Components to\n        identify and include IA requirements in the design, acquisition, installation,\n        operation, upgrade, or replacement of all DoD information systems for which they\n        have responsibility.\n\n        DoD Instruction 5000.2. DoD Instruction 5000.2 requires operational testers\n        and evaluators to assess IA for all weapon, C4I surveillance and reconnaissance,\n        and information programs that depend on external information sources or that\n        provide information to other DoD systems.\n\n        DoD Instruction 8500.2. DoD Instruction 8500.2 requires the heads of DoD\n        components to ensure that IA awareness, training, education, and\n        professionalization are provided to all military and civilian personnel, including\n        contractors, commensurate with their respective responsibilities for developing,\n        using, operating, administering, maintaining, and retiring DoD information\n        systems in accordance with Deputy Secretary of Defense guidance. The\n        Instruction also states that the heads of DoD components to provide for an IA\n        monitoring and testing capability according to DoD Directive 4640.6. Further,\n        the Instruction states that the IA Manager shall ensure that IA inspections, tests,\n        and reviews are coordinated. In addition, the Instruction states that the ability to\n        test and verify is an essential competency of the DoD IA program. Finally, the\n\n24\n Formerly, DoD Regulation 5000.2-R, \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition Programs\n (MDAPs) and Major Automated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d April 5, 2002. The\n Deputy Secretary\xe2\x80\x99s memorandum, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d October 30, 2002, and Attachment 2 to that\n memorandum reference a guidebook to accompany the interim guidance. The former DoD\n Regulation 5000.2-R will serve as the guidebook while the Defense Acquisition Policy Working Group\n creates a streamlined guidebook. The guidebook is not mandatory, but should be used for best practices,\n lessons learned, and expectations until replaced.\n\n\n                                                  52\n\x0cInstruction states that the IA objective condition is testable, IA compliance is\nmeasurable, and the activities required to achieve the IA Control are assignable\nand accountable.\n\nDoD Guidebook. The Guidebook states that operational test and evaluation\nshould determine:\n\n       \xe2\x80\xa2   the operational effectiveness and suitability of a system under realistic\n           operational conditions, including combat; and\n\n       \xe2\x80\xa2   whether the system has satisfied thresholds and objectives in the\n           approved ORD and the associated critical operational issues.\n\nJoint Staff. Chairman of the Joint Chiefs of Staff Instruction 3170.01B requires\nall DoD systems that are used to enter, process, store, display, or transmit DoD\ninformation regardless of classification or sensitivity to address IA. Further, the\nInstruction requires the initial ORD to establish requirements describing the\ncapabilities and characteristics of the proposed system. The Instruction also\nrequires the requirements to be written in output-oriented and measurable terms in\nthreshold and objective format with criteria and rationale for each.\n\nArmy Regulation 70-1. Army Regulation 70-1 requires the Army Training and\nDoctrine Command to develop and update ORDs.\n\nArmy Regulation 73-1. Army Regulation 73-1 states that a system\xe2\x80\x99s TEMP\nprovides a map for integrated simulation, test and evaluation plans, schedules, and\nresource requirements necessary to accomplish the test and evaluation program.\nFurther, the Regulation states that appropriate developmental testing assesses the\nachievement of critical technical parameters, identifies technological and design\nrisks, determines readiness to proceed to the initial operational test, and provides\ndata for system evaluations. In addition, the Regulation states that the initial\noperational test determines operational effectiveness, suitability, and the\nsurvivability of the system under realistic conditions.\n\n\n\n\n                                    53\n\x0cAppendix G. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director for Acquisition Initiatives\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Networks and Information Integration)\nDirector, Operational Test and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n   Director for Command, Control, Communications, and Computers Systems (J-6)\n   Director for Force Structure, Resources, and Assessment (J-8)\n\nDepartment of the Army\nAssistant Secretary of the Army (Acquisition, Logistics, and Technology)\nCommander, Army Training and Doctrine Command\nCommander, Army Test and Evaluation Command\nChief Information Officer, Department of the Army\nDeputy Chief of Staff for Operations and Plans\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nUnified Command\nCommander, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\n   Commander, Joint Interoperability Test Command\n\n                                          54\n\x0cNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        55\n\x0c\x0c___________________________________________________________________\n\n\n\nDirector, Operational Test and Evaluation\nComments\n\n\n\n\n                             57\n\x0c___________________________________________________________________\n\n\n\nSecretary of the Army and Army Chief\nInformation Officer Comments\n\n\n\n\n                             58\n\x0c___________________________________________________________________\n\n\n\n\n                             59\n\x0c___________________________________________________________________\n\n\n\n\n                             60\n\x0c___________________________________________________________________\n\n\n\n\n                             61\n\x0c___________________________________________________________________\n\n\n\n\n                             62\n\x0c___________________________________________________________________\n\n\n\n\n                             63\n\x0c___________________________________________________________________\n\n\n\n\n                             64\n\x0c___________________________________________________________________\n\n\n\nAssistant Secretary of the Army (Acquisition,\nLogistics, and Technology) Comments\n\n\n\n\n                             65\n\x0cTeam Members\nThe Acquisition Management Directorate, Office of the Deputy Inspector General\nfor Auditing of the Department of Defense prepared this report. Personnel of the\nOffice of the Inspector General of the Department of Defense who contributed to\nthe report are listed below.\n\nJohn E. Meling\nJack D. Snider\nSuellen R. Brittingham\nMark E. Stephens\nKevin W. Klein\nKelly R. McMaster\nJessica M. Ullrey\nJacqueline N. Pugh\n\x0c"